S 2.313 Secure registration with Internet services
Initiation responsibility: Head of IT, IT Security Officer
Implementation responsibility: User
Many Internet services require the users to register in order to use the services. For this, normally a user name and a password must be entered as a minimum, but frequently more information is requested, for example first and surnames, employer, email address, etc. If Internet services are used for official purposes, the organisation's regulations regarding the use of the Internet should be taken into consideration that should, amongst other things, describe which information may be entered when registering with and using the services (see also S 2.458 Guideline for using the Internet).
Every user should think carefully about the information entered here, since this may result in undesired advertising, for example. In order to avoid this, the level of detail of the information entered should be as low as possible and the data protection information should be read thoroughly. Whenever entering personal data, the users should consider the extent to which they actually want to provide the service provider with this information and which further use they agree to in so doing. If a valid email address is required, but disclosing the official or private email address as sender address is undesirable, one-time email addresses may be used to this end that can be created using free Internet services.
If certain Internet services are used for work-related purposes at regular intervals, the organisation should draw up specifications for the employees as to how the individual registration fields must be completed, if possible.
The password for the respective Internet service should be selected with the appropriate care (see also S 2.11 Provisions governing the use of passwords). Above all, such passwords should not match a password intended to protect important data, e.g. the office computer.
If personal data must be entered during registration, this should only be performed protected by SSL, if possible (see also S 5.66 Use of TLS/SSL). If using an offer requires the users to enter sensitive data using an insecure connection, it should be considered carefully whether this offer must actually be used.
Many Internet services offer a recovery function for passwords, i.e. a rescue option if a user forgets his/her password. For this, a few questions must often be answered in advance. The answers are stored by the service provider and the user will be asked those questions if he/she has forgotten his/her actual password. Often, the questions are preset. e.g. asking for your mother's maiden name or the name of your pet, your favourite colour, or place of birth. Unfortunately, only a few service providers provide the option of formulating the question freely.
Note: Within the framework of many attacks using social engineering or phishing, the attacker does not clumsily ask for passwords, but seemingly harmlessly for the name of your pet or your favourite colour. Therefore, it makes sense to not to enter true answers for the recovery functions, but to enter information no attacker may guess that one can memorise.
Review questions:
- Has it been ensured that passwords used for Internet services differ from other passwords?