Yeah, @netflix, your security setup is super unfriendly to your users.
1) Don't blame your users for lousy security.
1) Glad you didn't ask me to give my PW to live chat, but asking for a CC #? Almost as bad.
3) Adding a phone number doesn't increase security.
details
https://twitter.com/chandlerc1024/status/1212874897757757450 …
-
Prikaži ovu nit
-
1) So my high level complaint is that
@netflix seems to think an account being compromised is the users' fault, not bad security design. =/ First fail, and hard fail for me. It should be the goal to have processes and systems that prevent compromise. Don't blame the victim.1 reply 1 proslijeđeni tweet 10 korisnika označava da im se sviđaPrikaži ovu nit -
2) Next up, during the live chat to restore my account, I get a pop-up form *inside* the chat to enter my CC number. I get it, verification, blah blah. And sure, it's encrypted, nice. But this erodes trust! Don't ask for a valued & at-risk bit of info for verification!
1 reply 0 proslijeđenih tweetova 5 korisnika označava da im se sviđaPrikaži ovu nit -
2 cont) And when you pop up a form to enter CC number *inside* the live chat, it looks *super sketchy*. Like, no obvious URL, no obvious way to tell that this too is encrypted. Sketchy! It breaks users' expectations about what is and isn't secure on the web. Don't do that!
1 reply 0 proslijeđenih tweetova 5 korisnika označava da im se sviđaPrikaži ovu nit -
3) While doing #1, person reading their
@netflix support script told me I *really* need to add a phone # to my account for "security". Uh, why? Phone#, texts, etc. are all *less* secure than email. And prob. started by changing email! Attacker can just change phone# too!1 reply 0 proslijeđenih tweetova 4 korisnika označavaju da im se sviđaPrikaži ovu nit -
3 cont) And the email they send as a follow-up, while trying to blame me for not keeping my account secure, *again* suggests this. The email at least admits this actually just makes it *easier* to compromise the account by giving another PW reset mechanism. Thanks.
1 reply 0 proslijeđenih tweetova 5 korisnika označava da im se sviđaPrikaži ovu nit -
3 cont) Repeat after me: phone numbers are not a security mechanism. They are at best a terrible username! You already have a decent one: my email address! but you let an attacker change it w/o confirmation. But you'd do the same w/ a phone number! And confirmation is harder!
1 reply 0 proslijeđenih tweetova 5 korisnika označava da im se sviđaPrikaži ovu nit -
(conclusion) I suspect I'm more tech/security aware than avg.
@netflix customer, so I'm writing this up in the (likely futile) hope that folks at@netflix read and start fixing it. Free advice! I'm not even a real security engineer, and I bet you already have some who ...1 reply 0 proslijeđenih tweetova 4 korisnika označavaju da im se sviđaPrikaži ovu nit -
... know all of this stuff and way more. Talk to them! Get your act together! Because honestly, I'm in your corner. I really love
@netflix and want to recommend it. This is my first (and painful) bad experience. Hoping to see improvement. (fin)0 proslijeđenih tweetova 6 korisnika označava da im se sviđaPrikaži ovu nit
Chandler Carruth je proslijedio/a tweet korisnika/ceChandler Carruth
(not quite fin) https://twitter.com/chandlerc1024/status/1213111514644799488 … They literally say they won't ask for CC. But that's different because the live chat window isn't "over email". ARRRRRRG!
Chandler Carruth je dodan/na,
Čini se da učitavanje traje već neko vrijeme.
Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.