Registering for an account: some things I have observed

So the day jobs online store is up. We provide some of the information openly, and some information, specifically pricing, is available to people who register for an account.
Why do we do it this way? I’ve found this to be a good way to distinguish between people who are merely curious, but wouldn’t consider purchasing, and people who want information for a potential purchase. If you are serious about something, you are going to be willing to dig a little deeper. And it allows us to establish something of a quid pro quo. Information for information.
We do not use this information for any other reason than servicing orders, providing additional information and quotes if requested. We don’t sell it, don’t share it, don’t loan it. We don’t even ask for very much. Just a real name. A real contact phone number. A real email, and a real mailing address.
Thats it.

Which is why I wonder something.
What does it say when a person takes the time to fill out forms with obviously false information?
The quid pro quo is all about establishing a dialog with a level of implicit trust. You provide (minimal) information you believe has value (e.g. who you are and how to contact you … which curiously, we only do if you ask us to), and we provide you additional information on pricing and other things.
Sort of tosses cold water on a nascent relationship.
We don’t automatically grant access to the data. We do a quick scan to see if the information provided is real (incorrect email addresses guarantee that the user will not be able to log in, as their password will never reach them). If everything looks in order, we unblock them and generate a random password.
Has worked for quite a few users so far.
Only one real complaint, from a user who sent me more information in an email than it would have taken to register. He was simply opposed to registering. I found it amusing that we received a long tome on the evils of registration and why he wouldn’t register. Yet he could have provided the 5 requested pieces of information far faster, and with less bile than the long tome.
I know, some people are opposed to registering. It is simply against their nature. You can always contact us directly, and we will provide information without requiring registration. But I want to make sure we are speaking with the right people.
I should also point out that this is a part of our online store protection mechanism. Security in layers. You can’t place an order on the store without an account. So we have less concern over fraudulent orders from bots, because we don’t let orders even begin until a login has occurred.
Well, we don’t enable accounts for fake users. Saves us pain later. If you don’t want to register, email us, and we would be happy to provide service this way.

4 thoughts on “Registering for an account: some things I have observed”

  1. All the Bad People who do Bad Things with their lists of registered users have given the good guys a Bad Name. That is why a lot of sites now let you purchase without registering. But then, the Bad Guys could do *the same Bad Things* with the *same information* that you have to give them *for each purchase* that you would have given them once when registering. Huh?
    So that one doesn’t compute. But there is the security issue: if a Bad Person somehow hacks my password for a registered account — which may have an internal record of my credit card information — that Bad Person could log in to my account and order stuff to be sent to him. Or her (not to be male-chauvinistic about it). I think this argument against registration makes sense.
    I mean, it would really not be good if such a Bad Person logged into my Scalable Informatics account and ordered a passel of jackrabbits for his (or her) warren….
    This is presumably why people like Schneier recommend against registering whenver possible.

  2. @SATD
    No CC information is asked for (and there are no spaces for it) when registering. CC information is discarded, not even logged, upon ordering. So if they hack your account, they still need your CC data to order. Since that information is not there, the worst they can do is really, change your name, email, mailing address, or password. Thats it.
    We are very sensitive to the CC theft issue. I figure it is *far* better to not have the thing people *want* to steal stored, anywhere, for any length of time. Once the data is entered, the clearinghouse gets it, and it is destroyed here. Doesn’t show up in the logs, in the other files, etc.
    So arguing against registering because someone may steal something we don’t have available … well … 🙂
    I do normally agree with Schneier. I am not sure of the context of his comments (pointer would be helpful here) so I am not sure I am in disagreement with him.

  3. It’s a simple issue of trust. Some visitors to your site don’t know you, don’t trust you, so they might provide bogus info in order to find out a little bit more before deciding that you’re trustworthy. i.e. you don’t have an overly-aggressive marketing department that won’t leave them alone.
    The person that emailed you with that complaint is either paranoid after having registered at far too many “bad guy” websites, or is simply a total quack. “I don’t want to give you minor personal info via a form submit [possibly over SSL/TLS], but I’ll provide my life story via unencrypted email” == total nonsense.

  4. “I do normally agree with Schneier. I am not sure of the context of his comments (pointer would be helpful here)”
    I just spent some time looking through old email copies of his CRYPTO-GRAM for this — I grepped for “account” and “register”. I couldn’t find anything relevant. Maybe I’m wrong, but I could have sworn he made this point.

Comments are closed.