Best Buy’s Security Alert: Good Letter, Lousy LinkWritten by Frank Hayes
If there’s an art to warning E-Commerce customers about security problems, Best Buy may need a course in Remedial Security Finger-Painting. This month the chain sent an E-mail letter to an unknown number of its online customers warning that logins and passwords stolen from other sites were being used in an attempt to hijack bestbuy.com accounts. But the letter managed to convince at least some customers that the E-mails were phishing spam.
The problem: Links in the letter that customers were supposed to use to reset their passwords—but those links clearly weren’t going to bestbuy.com. The irony: In trying to fix a situation where customers’ passwords were stolen for bad purposes, Best Buy’s letter was inadvertently crafted such that it looked like an attempt to steal customers’ passwords for bad purposes.
The letters, which went out on July 6 over the name of Best Buy VP of Customer Care Lisa Smith, were actually pretty good at spelling out the problem: There was no breach at Best Buy, but someone was using credentials apparently stolen from other sites to try to log into individual Best Buy customer accounts.
“Our investigation indicates that your account may have been accessed by these hackers. We are taking action now to help protect your account; we have disabled your current password, and ask that you take a few minutes to reset it,” the letter said.
So far, so good. But the letter then included a password-reset link that was so long, it wasn’t visible in most modern Web browsers. As a result, most customers likely saw just the beginning and the end of the link, which began with “click.emailinfo2.bestbuy.com” and ended with an 80-character hexadecimal number. (That’s enough bits to uniquely identify a very large number of customers—that number being roughly 2 followed by 96 zeroes, in fact. There’s overkill, and then there’s real overkill.)
At least some customers drew the reasonable conclusion that a link that didn’t begin with “bestbuy.com” and was too long to see clearly was probably not from Best Buy. It also didn’t help that the link didn’t use Secure HTTP, which would have been appropriate for a password change. (Ironically, the password-reset page itself actually did use Secure HTTP—just not the redirecting link in the letter.)
Customers also couldn’t confirm the letter’s authenticity on Best Buy’s site, because neither the letter nor any other notice of the stolen-credentials problem was posted anywhere on the site.
It’s great that Best Buy is able to send customers a clear, well-written letter about security. But the most important thing in that type of letter will still always be the password-reset link. Long, complex and obfuscated links will suggest the letter itself is a security attack. Short, secure and simple will convince customers they can trust the link—which is the whole point, isn’t it?