2014’s Naughty eRetailers: Who Made the List?

By December 1, 2014 Security News 3 Comments

Cyber Monday is here, and that means shoppers everywhere will be hunting for the best deals online today. But watch out – not all e-retailers are “nice” when it comes to password security! We did a little digging into the password requirements and data practices of the top 10 e-retailers in the US, and it looks like a few will be getting coal this year.

We analyzed each website on a set of 6 criteria, on a scale of 0 to 10 points for each depending on how well those criteria were met. Each retailer then received a total out of 60 points based on their password requirements, how much information they store, and how much effort they put into helping customers follow good password security practices.

See our results in the infographic below, and follow our do’s and don’ts for keeping your data safe this holiday season:

naughty_nice_test

How’d We Get These Results?

The study was conducted by LastPass in November 2014. We compared the websites of the top 10 retailers in the US chosen per Top 500 Guide’s Top 500 e-Commerce sites and the National Retail Federation’s Top 100 Retailers.
Each site was analyzed based on a set of 6 criteria, with a scale of 0 to 10 points based on whether the criteria were met, and how well they were met. We tested password requirements, including minimum and maximum number of characters allowed & variety of character types allowed.; whether these requirements were shown up front for the consumer; if the websites employed a password strength meter to encourage longer passwords; use of security questions, and the obscurity of the questions asked; whether HTTPS is used when any information is entered; how much personal information is collected (name, birthday, address, email, phone); how accessible that data was when you’re logged in; and whether payment information is stored in the online account, and how accessible that is when you’re logged in (ie were only the last four digits revealed, or was the full card number accessible in plain text).

 

3 Comments

  • David says:

    I’ve seen this info-graphic posted on several news sources. Is this OK to use if I wanted to add it to a company newsletter or is this proprietary property that those sources paid for? I have no budget for materials unfortunately and I like to stay on the legal side of copyright law.

  • Anonymous says:

    That table/scoring is a bit laughable. What winning came down to is having either a strength meter OR security questions.

    I would argue that security questions are so easily defeated in the age of Facebook that they do not make a site much more secure. Having a password strength meter is nice, but they are not mandatory and all sites allow you to set a weak password, so they shouldn’t make a site win either.

    Under “What makes a site naughty” you say
    1. Weak password requirements – basically the same for all sites. Also, much research has shown that more stringent requirements don’t lead to more security, when customers tend to save complicated passwords insecurely.
    2. Too much information requested – basically the same for all the sites.
    3. Credit card numbers are stored – basically the same for all the sites.

    Also there are a number of mistakes in the table:
    – You forgot sears password requirements.
    – Apple App Store surely stores credit cards (or did you ever enter your cc to buy a new app or in-app content?) Also they are no Online Retailer.
    – Everybody has https so that was pointless.
    – Having security questions adds 18-20 points, because of the two columns. Way overrated.

    And all of this completely ignores the huge data breaches that happened at Target and eBay this year…

  • Anonymous says:

    That table/scoring is a bit laughable. What winning came down to is having either a strength meter OR security questions.

    I would argue that security questions are so easily defeated in the age of Facebook that they do not make a site much more secure. Having a password strength meter is nice, but they are not mandatory and all sites allow you to set a weak password, so they shouldn’t make a site win either.

    Under “What makes a site naughty” you say
    1. Weak password requirements – basically the same for all sites. Also, much research has shown that more stringent requirements don’t lead to more security, when customers tend to save complicated passwords insecurely.
    2. Too much information requested – basically the same for all the sites.
    3. Credit card numbers are stored – basically the same for all the sites.

    Also there are a number of mistakes in the table:
    – You forgot sears password requirements.
    – Apple App Store surely stores credit cards (or did you ever enter your cc to buy a new app or in-app content?) Also they are no Online Retailer.
    – Everybody has https so that was pointless.
    – Having security questions adds 18-20 points, because of the two columns. Way overrated.

    And all of this completely ignores the huge data breaches that happened at Target and eBay this year…