In the wake of the Heartbleed incident, everyone is understandably concerned about their online privacy.
If you’ve applied to law school with the assistance of the good folks at LSAC, you probably appreciated the opportunity to have your law school application process entirely automated. But you also placed your personal information at risk, up to and including your Social Security number, due to some serious (but easily remedied) security flaws.
Thankfully, they know about the problem and are working on it.
Maybe. Eventually. It’s not really clear.
Which, considering the gravity of the risk, is just as discomforting an answer as blowing it off completely….
The crux of LSAC’s problem is their protection — or lack thereof — of user passwords. If you’ve used the system recently and lost your password, then you may have encountered this particular weak spot and not even realized it. They sent you back your password when you requested it in all caps in plain text. From a tipster who raised the issue directly with LSAC:
There is a major security flaw in the LSAC website, and it needs to be addressed as soon as possible because it is endangering the security of all of your applicants and putting them at risk of identity theft. I noticed the issue when I received a password reminder email that contained my actual password in all capital letters. That means…
My password is being stored in reversible form in one of your databases. User-entered passwords should never be stored as anything other than a salted hash [a version of it that’s been modified and run through a one-way hash function]. Storing actual passwords puts not only login info for the LSAC site at risk but, due to the common practice of reusing passwords, also runs the risk of a criminal gaining access to other websites for which a user has the same username/password combination. If you were ever to have a security breach, this would be very, very bad.
My password was emailed to me in unencrypted and in clear text. If that email had been intercepted, the person intercepting would have had enough information to attempt to log in to my LSAC account (the username wasn’t in the email, but my username is the same as my email address, and I imagine that is frequently the case). From there, they would have access to my date of birth, the last four digits of my social security number, my address, my LSAT score. Basically enough information to steal my identity and ruin my life.
Of the two concerns, it’s the former that’s the greater risk. That said, when I reached out to Ian Lurie, the Chairman & Principal Consultant of Portent, Inc. (and a UCLA Law grad), he said that the latter scenario shouldn’t be dismissed:
While it’s not a super-likely scenario, this is a field where hackers abound, and the potential downside is so bad (and fixing this is so easy) that it seems careless not to deal with it. You’ve got the most litigious population on Earth (law students) all using a site. Get it buttoned down against any obvious potential threats.
But again, fixing the resetting system that emails around full passwords is a necessary but not sufficient solution to LSAC’s problems. Simply maintaining everyone’s unhashed passwords on a clearinghouse website that a hacker could target is much more frightening because it’s a solitary, tempting target loaded down with personal information. And even if the hacker didn’t get into the other personal information LSAC collects, just having the stored passwords offers access to login anywhere the user employs the same password. Which for most of you is everywhere, up to and including bank accounts.
LSAC replied to these concerns by telling the student that they will get to work on the problem of emailing passwords, but that he shouldn’t really be concerned because LSAC doesn’t store full Social Security numbers. The student, obviously, wasn’t comforted by this non-response response:
Thank you for your response. Unfortunately, I find it unsatisfactory for a few reasons:
You note that my Social Security number is not stored in full. This is false. My Social Security number appears in full in multiple places in my account. For example, when I view a PDF application that I have submitted to a law school, my Social Security number appears in full on that page. It also appears, handwritten, on the bottom of my LSAT answer sheet. An attacker with my password would have access to these workflows.
You address my concern about password resets, but not my key concern about password storage. I am concerned that the passwords are being emailed, yes, but I am even more concerned about your storage of my password either in cleartext or using a reversible algorithm. If you had been hacked last week like Twitter, the New York Times, or the Washington Post, the publicity would have been the same, but the damage would have been much greater. Twitter’s hack caused them to lose salted, hashed passwords, and it was still a major publicity blow. If the same thing happened to you, you would lose full passwords. That is much, much worse.
You have not given me a timeline by which you will have this fixed. You are protecting very sensitive data of mine. Normally, I would choose not to do any business with a company that protected my data like this, but with LSAC, I have no choice. I must use your services.
And that’s the rub of this whole affair: high-profile entities are getting hacked like this and you don’t really have any choice but to hand over your personal information to LSAC and hope they’ll keep it safe. We’ve created an applications monopoly, which brings efficiency through economies of scale, but as the old adage goes, you put all your eggs in one basket and then WATCH THAT BASKET. Right now all the eggs are in a basket guarded by… somebody?
We asked LSAC to directly comment on this issue. What we got in return from Wendy Margolis, their director of communications, was:
Hello Mr. Patrice,
Thank you for your inquiry. You asked if we are taking any steps to enhance the security of user passwords. We definitely are. I really can’t provide any information other than that.
Usually when ATL asks for a comment we receive (a) a vociferous denial, or (b) an earnest and detailed explanation of the steps being taken to address the issue. So the “admission with vague blow-off” is a new phenomenon. The charitable read of this response is that LSAC must keep their security measures “secret” to protect themselves. This is also a dumb read. Major institutions, for instance PNC Bank, are perfectly comfortable sharing the steps they take and protocols employed to protect data. It’s not handing the keys to a hacker to say, “we encrypt your data.” Rather it’s signaling to the hacker “we aren’t a fly-by-night entity with no clue what we’re doing.”
So I guess take heart that LSAC is aware of the security threat and is maybe, kind of working on it in some vague, ambiguous way.