Does filling out an online survey in exchange for a few bucks sound too good be true? For ClixSense users, this is turning out to be the case: last week, the leading paid-to-click (PTC) survey firm admitted to a massive data breach involving virtually all of its users' accounts—roughly 6.6 million records in total. With so many giving in to the allure of easy money, PTC firms should be on top of securing privileged data of survey takers they're bankrolling. Let's find out how the top 5 compare when it comes to fulfilling this critical responsibility.
The breach—verified by Troy Hunt, creator of the popular data breach discovery engine Have I been pwned?—was first discovered on a post advertising the leaked data for sale. The complete payload purportedly consists of 6.6 million user records and source code from the website. Some examples of the data compromised include plaintext passwords, IP addresses, user birth dates, emails, payment methods, account balances, and payment histories.
ClixSense has since issued a public notification explaining what the data breach means for its users:
What does this all mean? Simply put, your ClixSense account information is now much more secure. We did a forced password change as a precautionary measure and many of you have already changed your emails as well. If by chance you have used the same password here as other services (such as your email, Paypal or another PTC, etc..) please make sure you change these passwords too.
Thinking positively about the matter is certainly commendable, but does ClixSense's CSTAR ratings—as well as its competitors' scores—reflect a heightened state of security and enterprise resilience? Let's take a look at how each websites' perimeter security mechanisms stack up.
PTC Company Roundup
It's only fitting that we start with ClixSense—one of the largest and most popular PTC firms and the subject of this latest massive data breach. Launched in 2007, the company also pays users for clicking advertisments and completing offers. Payouts are handled through PayPal, Payza, and Paytoo.
ClixSense scores an average CSTAR score of 637 for a number of risky security flaws: Lack of HTTP strict transport security, HttpOnly cookies, and secure cookies could lead to various client-side exploits. Additionally, disabled SPF, DMARC, and DNSSEC leave its servers open to forgery.
iPoll—previously known as Surveyhead—offers giftcards, sweepstakes, magazine subscriptions, and PayPal payments in exchange for sharing opinions via online surveys. The website shares many of ClixSense's website perimeter security issues, along with server information leakages such as exposed X-Powered-By Header and ASP Net Version Header information.
UK-based uses a point-based compensation system for redeeming gift cards, cash coupons, and vouchers in exchange for completing online surveys. The company recently added webcam surveys to its range of money-making activities.
Don't remove that piece of tape from your webcam yet—various security flaws in MySurvey's website security mechanisms leave it vulnerable to being compromised. Its CSTAR score of 638 is a result of various security flaws: server information leakage, lack of HttpOnly cookies and secure cookies, and disabled DNSSEC and DMARC, among others.
If this PTC's name isn't enough to sound off alarm bells, a CSTAR score of 315 should do the trick. The popular online survey and offer completion website suffers from a myriad of website perimiter security flaws: lack of DMARC, DNSSEC, secure cookies/HttpOnly cookies, and the like. But unlike the preceding firms' websites, CashCrate lacks sitewide SSL—on top of leaving its server's filesharing ports open.
And Company Name Most Likely to Attract Cybercriminals goes to... okay, it's probably a toss-up between this PTC firm and CashCrate. And like CashCrate, its abysmal CSTAR score is a result of website perimeter security issues common to most firms on this list plus lack of sitewide SSL.
Any website or service that promises cash incentives or huge payouts is bound to get barraged by user signups and—invariably—cyber attacks. Unfortunately, the massive ClixSense data breach is likely the first of many to come, if these PTC firms' CSTAR scores are any indication. An organization's cyber risk posture is only as strong as its weakest IT assets; a firm's externally facing web assets are arguably the most visible and therefore brand damaging items to be compromised.