1) So my high level complaint is that @netflix seems to think an account being compromised is the users' fault, not bad security design. =/ First fail, and hard fail for me.
It should be the goal to have processes and systems that prevent compromise. Don't blame the victim.
-
-
Prikaži ovu nit
-
2) Next up, during the live chat to restore my account, I get a pop-up form *inside* the chat to enter my CC number. I get it, verification, blah blah. And sure, it's encrypted, nice. But this erodes trust! Don't ask for a valued & at-risk bit of info for verification!
Prikaži ovu nit -
2 cont) And when you pop up a form to enter CC number *inside* the live chat, it looks *super sketchy*. Like, no obvious URL, no obvious way to tell that this too is encrypted. Sketchy! It breaks users' expectations about what is and isn't secure on the web. Don't do that!
Prikaži ovu nit -
3) While doing #1, person reading their
@netflix support script told me I *really* need to add a phone # to my account for "security". Uh, why? Phone#, texts, etc. are all *less* secure than email. And prob. started by changing email! Attacker can just change phone# too!Prikaži ovu nit -
3 cont) And the email they send as a follow-up, while trying to blame me for not keeping my account secure, *again* suggests this. The email at least admits this actually just makes it *easier* to compromise the account by giving another PW reset mechanism. Thanks.
Prikaži ovu nit -
3 cont) Repeat after me: phone numbers are not a security mechanism. They are at best a terrible username! You already have a decent one: my email address! but you let an attacker change it w/o confirmation. But you'd do the same w/ a phone number! And confirmation is harder!
Prikaži ovu nit -
... know all of this stuff and way more. Talk to them! Get your act together! Because honestly, I'm in your corner. I really love
@netflix and want to recommend it. This is my first (and painful) bad experience. Hoping to see improvement. (fin)Prikaži ovu nit -
(not quite fin) https://twitter.com/chandlerc1024/status/1213111514644799488 … They literally say they won't ask for CC. But that's different because the live chat window isn't "over email". ARRRRRRG!
Prikaži ovu nit
Kraj razgovora
Novi razgovor -
Čini se da učitavanje traje već neko vrijeme.
Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.
