GoFuckYourself.com - Adult Webmaster Forum - View Single Post - liability for storing member passwords unencrypted?

iSpyCams · 12-11-2014, 06:15 AM

OK so recently I stumbled on a thread in another forum where a victim of credit card fraud had contacted the website his card was used on and was given the username, password and email used to create the bogus account.

The cardholder then attempted to access the email account using the same password, and it worked. Through the email he was able to discover that the thieves had his SSN and quite a bit of other information and also seemed to have stolen the identity of several other people using the same email.

He wanted to report it to the authorities but was concerned since he had made unauthorized entry to someone's email and didn't want to end up getting charged with hacking or whatever.

This led to a lot of anal retentive self declared ipsecurity experts and armchair lawyers claiming that passwords should NEVER be stored as anything but a hash and should not be visible to anyone, ever, no the site owner, not customer service or anyone, and furthermore that storing them in any other way opens the site owner up to criminal (not civil) liability.

I find this highly doubtful simply because it seems that pretty much the entire industry does not work that way. All the industry standard tools that I use or am aware of including nats, mechbunny, netbilling and others make the password visible to admins and CS reps, are frequently used to review for potential fraud patterns, and with the various postback systems it may not even be possible to completely encrypt them.

Is it true that we are all exposing ourselves to criminal liability? Are you guys storing passwords encrypted? Are the passwords visible to anyone? What's the real story?

12-11-2014, 06:15 AM
iSpyCams Amateur Gynecologist Industry Role: Join Date: May 2009 Location: Medellin Posts: 4,436	liability for storing member passwords unencrypted? OK so recently I stumbled on a thread in another forum where a victim of credit card fraud had contacted the website his card was used on and was given the username, password and email used to create the bogus account. The cardholder then attempted to access the email account using the same password, and it worked. Through the email he was able to discover that the thieves had his SSN and quite a bit of other information and also seemed to have stolen the identity of several other people using the same email. He wanted to report it to the authorities but was concerned since he had made unauthorized entry to someone's email and didn't want to end up getting charged with hacking or whatever. This led to a lot of anal retentive self declared ipsecurity experts and armchair lawyers claiming that passwords should NEVER be stored as anything but a hash and should not be visible to anyone, ever, no the site owner, not customer service or anyone, and furthermore that storing them in any other way opens the site owner up to criminal (not civil) liability. I find this highly doubtful simply because it seems that pretty much the entire industry does not work that way. All the industry standard tools that I use or am aware of including nats, mechbunny, netbilling and others make the password visible to admins and CS reps, are frequently used to review for potential fraud patterns, and with the various postback systems it may not even be possible to completely encrypt them. Is it true that we are all exposing ourselves to criminal liability? Are you guys storing passwords encrypted? Are the passwords visible to anyone? What's the real story? __________________ - As soon as I think up a good sig it's going here.