Why do major Internet companies use horrible user account security practices for the needs of power users?

My experiences with Google, Android, Microsoft and Amazon come to mind. I actually know the answer: because this applies to the average, not so sophisticated user; but not for security-conscious power-users; but I am just now pissed off, so I have write about it. Maybe I get additional insights and viewpoints from you. I also read Bruce Schneier on the issue and his conclusion is these companies focus their account security features around the user (bad policy), instead of the impersonal account itself (better policy - for power users; at least). If anyone finds the respective article; I appreciate if she links it in the comments. My experience with Amazon: I got a Kindle, set up an account on the device with only an email address and password combo (should be enough; right?). I have never bought stuff with it, mostly used the Kindle to read downloaded web articles (which I synced with the Calibre software; not Amazon services). I never associated a billing address, credit card or phone number to the account. Then I wanted to sign in and it asked me personal information I never provided and was not associated to my account. (Good example of said bad practice: they try to secure the user, not the account; I never forgot my email and password combo; the only thing provided for the account) Customer service told me I should make a new account. I have found that if I provide a (random) phone number (which I store in my password manager) then it will be accepted by Amazon as a security question. So, the user has to be more clever and play games here. The problem I see here is for Amazon it's simply not enough to, say send you a verification link in email (most internet accounts work like this); they insist on your personal information. Amazon customer service experience (slightly off here, but a honorable mention): I asked a pre-sales question via chat (you do not need to sign in, let alone have an Amazon account to ask a legitimate pre-sales question, right?). We talked about this and that for half an hour with the rep. whose English was worse than mine (and I am not a native speaker, either), then my case was upped to a senior rep, maybe; who asked about my order number (which in this case; did not exist, obviously), and as I was unable to provided it she kicked me out of the chat. Brilliant service. My Google account with my Android phone: again, I understand Google's concept here; that you are supposed to give them your credit card, your email conversation, literally; your life; and this account should be secured; I understand that. But for this phone I only registered wanted a quick and easy account to be able to downloaded free apps from the Play store; and that's it. I wanted to change the password on the desktop (easier, right?) then it asked from which city I use to sign it? Best practice you use the net from your mobile device via a VPN, right? I see most people won't do it; but all the experts tell you to do so; right? am I supposed to take not to which cities my VPN provider connects to? It changes from time to time; no problem for me until a company like Google wants to identify me via personal data instead of account data; I know my email and password; but lock out of the account. (And by the way I use Gmail for mail as well in another account; but nothing that important which would justify my use of a 2-factor authentication for my main email as well; I rather log in and log out fast; though my password and security questions are both super-strong; managed by password manager) And they disable the old good feature; the security question. For which I provided a randomly generated list of characters, the same difficulty as my password, which I saved in my password manager. Again, I understand the average user will never do this; but it's still best practice against social engineering. My other pet peeve with email security today is you are supposed to add a recovery email, maybe another Gmail (Google does not promote the competition, right?), all your email addresses with their respective SMS 2-factor authentications. This might - I say, might; borderline - work when you are at home with all your phones but how about international travel, business and extended travel? Are you suppose to carry - and not lose - all your home phones with your home SIM cards across the globe in case your email provider wants to identify you (and not the account; see Schneier above). Nonsense. Besides this; you wouldn't carry your home SIM cards abroad, you use the respective SIM cards of the countries you visit. Update: after the iCloud hack (September 2014), this is how Google secured it's login process (replaced the previous security question with this screen): Message: do not travel out of your home country or city. Brilliant; really. Update: Microsoft security feature: Or bug: Outlook To add context it asked less than 5 times for enter security code which arrived to my phone promptly, which I entered correctly (so no resend was needed).
Answer:

I disagree with the assertion regarding Google. Google has done some impressive things in terms of security and privacy in recent years. For instance, all google searches can be set to be SSL encrypted, they offer two factor authentication using call back to phone, SMS to a cell phone, email or soft token authentication. When Google Earth images were shown to have faces and license plates, Google responded by blurring images with special algorithms. With regard to Amazon, Amazon has massive incentives to keep-it-simple for users because it is a major e-commerce site. If they made purchasing more difficult with layers of security, it would eat into their revenue stream. I'll draw a comparison to the credit card infrastructure in the US compared to Europe. While Europeans all carry credit cards with smart-card capability, Americans do not. This is because American retailers prefer to spend less money on security and simply write-off the fraud.

Was this solution helpful to you?

Other answers

Google gives you the opportunity to use security mechanisms. If you do not want to use them, then it is your choice. I am not sure how you can replace multifactor authentication by "logging in and out fast". Security questions are one of the dumbest ideas someone had under his or her morning shower. This is a highway to account compromission as people will answer "blue" to the question about their favorite color. Using a complex password as an answer just helps to secure (for you) this abysmally stupid mechanism.

Wojtek Swiatek

Related Q & A:

Why is yahoo mail not working for my account?Best solution by Yahoo! Answers
How many companies use Google AdWords?Best solution by quora.com
What are some best practices to follow when designing for users completely unfamiliar with computers?Best solution by User Experience
Where can i use my PAYPAL account?Best solution by Yahoo! Answers
Why do companies use recruitment agencies?Best solution by therecruiterslounge.com

Just Added Q & A:

How many active mobile subscribers are there in China?Best solution by Quora
How to find the right vacation?Best solution by bookit.com
How To Make Your Own Primer?Best solution by thekrazycouponlady.com
How do you get the domain & range?Best solution by ChaCha
How do you open pop up blockers?Best solution by Yahoo! Answers

For every problem there is a solution! Proved by Solucija.

Got an issue and looking for advice?
Ask Solucija to search every corner of the Web for help.
Get workable solutions and helpful tips in a moment.

Just ask Solucija about an issue you face and immediately get a list of ready solutions, answers and tips from other Internet users. We always provide the most suitable and complete answer to your question at the top, along with a few good alternatives below.