GeodSoft: Building a Web Site, Security: Assn. Membership Policies

		GeodSoft

As Secure As Your Membership Policies

There may be associations that conduct background investigations of prospective members or require some proof of eligibility before allowing someone to join but I am not familiar with them. Generally, all that is necessary to join an association is the willingness to complete and sign a membership application and to pay the appropriate dues. Cash payments would be somewhat risky and suspect so presumably nearly all membership applications will be accompanied by a check or credit card that has some identification on or associated with it.

For associations that accept online membership applications, all that is typically needed to become a member and access to the member only areas of the associations web site is to provide a valid credit card number and expiration date and a post office box for an address. For associations that do not care if members are qualified this may not be any problem; here the only concern may be that online services cannot be obtained for free and thus fail to be an incentive for joining the association.

Some associations may provide member communication services that are semi sensitive in nature. Members may wish that those who are not qualified to be members, cannot see the member only communications. For such organizations, I suggest the following: Some credit card authorization technology today displays the card holder's name. These associations that accept online member applications should consider a policy of not automatically accepting applications where the name on the application does not match the name provided by the credit card authentication technology. The association should require a phone number on all member applications. Where names do not match, the number should be contacted and the prospective member asked to explain why the card name is different than the application name before the application is processed.

Even with such requirements, these associations are still likely to be accepting memberships based on only a real name and telephone number. If the person is not eligible to join the association and is found out, it might be somewhat embarrassing to that person but they are unlikely to suffer any other adverse consequences. It is probably not illegal to join an association under false pretenses even when the association considers it very important that only qualified individuals join the association and access its proprietary information.

The point behind this is that an association's web site cannot be any more secure than its membership policies. Anyone who is willing to pay the dues and lie can gain admission.

As I discuss in the section "Collaboration Among Members," providing electronic communications between members could be one of the largest benefits of an association as we move towards an ever more online age. I personally would never place anything that I considered to be confidential information, into today's web sites or list servers; others may think the username and password used to access the member only areas of the web site provides some meaningful security.

From the association's perspective, it is important that the association never misrepresent the security that is available for it's web site and other electronic communications. Members should be reminded that the system cannot be any more secure than the level of security associated with joining the association. It might be useful to require the members to pass through a page that includes the appropriate security disclaimers before participating in any collaborative communication. If security is of particular interest to your members, you may want to go so far as electronic contracts that make a permanent record of whatever language the member saw and agreed to as a condition of participating in the electronic collaboration.

<P Not Like Banks <
^ Security Contents ^
> Variable Access N>

Top of Page - Site Map

Copyright © 2000 - 2014 by George Shaffer. This material may be distributed only subject to the terms and conditions set forth in http://GeodSoft.com/terms.htm (or http://GeodSoft.com/cgi-bin/terms.pl). These terms are subject to change. Distribution is subject to the current terms, or at the choice of the distributor, those in an earlier, digitally signed electronic copy of http://GeodSoft.com/terms.htm (or cgi-bin/terms.pl) from the time of the distribution. Distribution of substantively modified versions of GeodSoft content is prohibited without the explicit written permission of George Shaffer. Distribution of the work or derivatives of the work, in whole or in part, for commercial purposes is prohibited unless prior written permission is obtained from George Shaffer. Distribution in accordance with these terms, for unrestricted and uncompensated public access, non profit, or internal company use is allowed.

Home >
Book >
Security >
mpolicy.htm

<P Not Like Banks
N> Variable Access

What's New
How-To
Opinion
Book

Email address

Site map:
Home
What's New
About GeodSoft
- Large Web Project
- Designing GeodSoft
- Building GeodSoft
How-To
- Good Passwords
- 10 Security Steps
- Intrusion Detection
- Secure Shell (SSH)
- Harden OpenBSD
- Dual Boot Open Source
- Style Sheets (CSS)
- Time Synchronization
Reviews & Commentary
- Product Packages
- Software Licenses
- Open Source Limits
- Server Comparison
- Bogus PHP Bug
- Corel Linux
Book: Assn. Webs
- Introduction
- Network & Web Basics
- Assn. Computer Security
- - Security Trade-offs
- - Fully Secure Myth
- - Intruders
- - Passwords
- - Security Illusions
- - Lax Security
- - Association Exposures
- - Reputation
- - Credit Cards
- - SSL
- - Member Data
- - Corrupted Data
- - Lost Member Data
- - Perpetual Insecurity
- - Different Needs
- - Not Like Banks
- - Membership Policies
- - Variable Access
- - Internet Security Basics
- Publishing Myth
Terms of Use
Privacy Policy

Password Generator
Password Evaluator
Crack Time Calculator