You may call me paranoid or over-cautious after reading this. I wanted to write about this long ago, as soon as I heard this advertisement and thought its totally insane. But I was busy. Thanks to the most gruelling bloodshed of recent times in one of the prestigious higher educational institutes of the country, I get the chance to pick one of the drafts left in my blog. Here it goes..
Recently, Etisalat, a mobile service provider advertised a scheme for users to chat in facebook via SMS and the two ways they are suggesting the users to register has fundamental flaws. As the method 1 they want users to enter their facebook username and password at their own site www.etisalat.lk. In the next method they suggest users to SMS their username and password to a number.
As it is being discussed over and over again by people like Jeff Atwood and Dare Obasanjo, as a third party, its wrong to ask the user to “Please Give Us Your Email Password“. You may be trying to help. But some may consider it offensive. You are asking for the keys of their online identity.
Next thing, is it ok to allow users get comfortable with entering their credentials in all sorts of random places, and make them more susceptible to phishing attacks?
Then, asking them to SMS the credentials as plain text! huh? In this era of WikiLeaks? How can the user be confident that these usernames are not going to rest in a databse as plain text, where an employee with malicious intents, can copy them with a mouse click and sell for a fortune?? You’re Probably Storing Passwords Incorrectly!!!
I don’t think engineers at Etisalat didn’t know about OAuth or Facebook Connect or simple way of coming to an agreement with Facebook to send a confirmation code to user’s phone without making them SMS passwords. Did they misused the illiteracy of majority of Sri Lankan internet users, teaching them bad habits and let their online identities be compromised? or simply is somebody being lazy?
For example, OAuth is a technology that has been built for enabling applications to access Twitter/Facebook on users’ behalf with their approval without asking them directly for the password. So the users will be more willing to use your service.
And one more thing. In your method all will work fine, until they change their Twitter/Facebook password. This is one of the major things OAuth solves – The users’ access is not tied to their current username/password combination, so they’re free to change it without having to update a couple dozen external apps.
So why choose the hard, insecure, inconvenient way? There may not be a perfect security solution. But it is always good not to hide these critical information and keep them informed. As professionals, let us not only teach people to use technology, but also to do it in the safer, efficient and right way.