Monday, January 21, 2013

eWAY: Security concern response done right

I'm absolutely blown away by how eWAY responded to my last post concerning some security issues and concerns I had with their site.  They've radically exceeded my wildest hopes for resolution of the issues, and set themselves far apart from other companies who have been in similar circumstances before.

The post with the issues initially went live Wednesday morning.

By Wednesday evening, within 12 hours of the post going live, I had received a phone call from their CEO letting me know they were on top of the issues and actively addressing them with quite a few developers.

By Thursday evening, under 36 hours after the post went live, they let me know they had resolved the "plaintext password reset email" issue with a much more secure password reset system that did not expose the developer passwords.

In under a week, they have also updated their "About the developers" page to add information about the people responsible for security (this information had been missing on the page previously), updated their fraud detection systems, and are actively pushing people away from the older, 8 digit based interface.

On top of this, they sent me a thank you package!

This is such a radical contrast to other companies who respond to security issues by, in no particular order, ignoring them, having a PR drone say something meaningless, or fixing one issue and ignoring others (and then denying that there are exploits on sale and being used for the just-patched version).

And it's absolutely awesome to see rapid response to security concerns in action.  I wish more companies responded like eWAY did.

2 comments:

  1. I had a similar experience five years ago. I discovered a finance company site that leaked other people's applications, including things like driver's license and credit card numbers.

    I sent an email outlining how I did this (change the query string :S). Within a few hours I had a phone call from the CEO of the finance company, and within a few more hours the hole was plugged. I then got another call from the CEO to let me know, and to let me know they'd waived some fees for me.

    At the time I didn't really think anything of it - but now I'm really impressed at how well it was handled, which I think is a reflection on every other company in the world being awful at it.

    ReplyDelete
  2. I'm absolutely blown away by how eWAY responded to my last post concerning some security issues and concerns I had with their site. server cabinet

    ReplyDelete