Leaky Web Sites Tell All About You

It's creepy how easily Net snoops can retrace your steps

Fred Fluffernutter is a pro-choice baseball fan who reads the electronic version of The Washington Post and shops online at Victoria's Secret, Amazon.com (AMZN ), and L.L. Bean. I know every Web site where Fred is registered because I invented him and filled out the forms. But it is distressingly easy for anyone to assemble a profile of Fred -- or you or me -- because of the way Web sites leak personal information.

A simple and legal way of harvesting personal data from many sites was described to me by Blue Security, an Israeli company, which calls the technique "hostile consumer profiling." A marketer or would-be identity thief begins by obtaining someone's e-mail address, in this case, fred_fluffernutter@hotmail.com. Many sites that require registration use your Net address as a user name; in other cases, people are likely to choose login names, such as fred_fluffernutter, based on their Net address.

Partly because of that convention, it's all too easy to find out who is registered for what activities. For example, if you attempt to register at NARAL Pro-Choice America with a name already in use -- say, Fred's -- a message pops up on the screen, saying: "Thank you for confirming your membership." An impostor or a marketer building a profile can now infer that Fred is a likely supporter of abortion rights.

OTHER SITES CAN BE TRICKED into confirming a registration. For example, if you request a "lost" password, they will report either that the password has been sent to the registered e-mail address or that no such address is recorded. I used such tricks to verify that Fred had registered at the Web sites of Major League Baseball, The Post, Victoria's Secret, and L.L. Bean, and the same techniques could be used with thousands of other sites. Harvesting this information one site and one user at a time would be economically impractical, but it doesn't take a great deal of skill to write a program that will automate the chore, checking thousands of addresses against dozens of sites.

The frustrating thing is that this information is so readily available -- when it would take so little for Web sites to protect users' privacy by acting responsibly. Blue Security found that no online banks give up information to these simple-minded attacks. One reason, of course, is that they typically base the identity of their users on account numbers, not e-mail addresses or self-chosen names.

Security-savvy organizations often include a sort of puzzle in the registration process. Typically, this is a random word displayed in distorted type against a complicated background. To go forward with a request, you must type the word into a box. The trick is that the word is easy for people to read, but difficult or impossible for a computer, so it frustrates automated harvesting of information. But the organization must make special provisions for the visually impaired.

A better approach is taken by the Gay & Lesbian Alliance Against Defamation. When you register on glaad.org, you are sent an e-mail to confirm. If someone else tries to sign up using the same e-mail address, the registration appears to be accepted, but the site issues another e-mail requesting confirmation. The phony registrant learns nothing, and the real account owner is notified of the spoofing attempt (and is asked to forward the message back to GLAAD).

The sort of information leaked by poorly designed Web sites won't let anyone else run up charges on your credit card. But the ease with which someone can build a profile of your interests and activities is more than a little creepy. And the information harvested can be used to create targeted spam or individualized phishing attempts that leverage information about you -- "Special for Boston Red Sox fans!" -- to extract more valuable data, such as account numbers and passwords. Considering how easy it is to prevent such attacks, Web site operators have no excuse not to take the steps needed to protect their customers or members.

For a collection of past columns and online-only reviews of technology products, click here

By Stephen H. Wildstrom

    Before it's here, it's on the Bloomberg Terminal.