Arizona Corporation Commission Web Site is Criminally Insecure

Today I had to do my annual renewal of my corporate registration in Arizona.  As in most states, this involves a bit of information foreplay followed by the purpose of the exercise -- sending in a check to the corporation commission.

But here is the extraordinarily scary part -- I started the annual reporting process by just typing in the name of my company and getting started.  There was no password protection, no identity check.  They had no way of knowing I had anything to do with this corporation and yet I was answering questions like "have you been convicted for fraud."  The potential for mischief is enormous.  One would have to get the timing right (an annual report must be due before one can get in) but one could easily open the site on January 1 and start entering false information in the registrations for such corporations as Exxon and Wal-Mart.

See for yourself.  Here is their web site.  Below is a screen shot of the site letting me in to edit one of Wal-Mart's corporate registrations in Arizona:

click to enlarge

 

Again, note what I am saying.  This is not the result of hacking.  This is not lax security I figured out how to evade.  This is the result of no security whatsoever.  I simply went to the link above, clicked on the Wal-Mart Associates link, and then clicked on the annual report link.  I know from doing my own registration that there is a signature page at the end, but all you do is type in the name of an officer and a title -- data that is right there on the site.  It's like asking you for a password after the site just listed all the valid passwords.

If I disliked Wal-Mart, I could put all kinds of crazy garbage in here.  I did not go further, because I would have had to answer these questions to proceed and I had no desire to mess with another company's critical data, but if I had gone further I could have changed their mailing address, the names of their officers, etc. -- all I had to do was just pay the $60-ish registration fee for them and they would have a big mess on their hands to sort out.   If I had access to a fake or stolen credit card and a public computer, I could have done it all without any hope of being traced.

By the way, from my experience, this is not unique to Arizona.  This criminally lax behavior seems to be the norm in most states.

I have submitted this all as a complaint to the state, so far with no response.  If anyone in AZ knows how I can get someone's attention with this, let me know.

  • obloodyhell

    }}} If anyone in AZ knows how I can get someone's attention with this, let me know.

    Practically speaking, the ONLY way to get the government's attention is with a lawsuit. Or lots of bribes "corporate donations"...

  • markm

    Or if someone lacks ethics, actually hijack some major corporate registrations. Not Walmart, but the ones that can spread the most butt-hurt in Washington as well as state capitals: major campaign contributors and defense contractors. But you'd better do a really good job of covering your tracks.

  • ColoComment

    I file the state-level legal reports for my company, too. Security is a huge problem. Colorado instituted email notice of entity record changes quite a few years ago, and then more recently, of filer-registration & password restrictions. Some states mail you some kind of "control" number & call it secuity. Big deal. Still not very secure, but better than Arizona. State corporate records are really an untapped fun palace for hackers, if they only knew it.

    Oh, and a few weeks ago I got a notice from some state, I forget which, that I could sign up for email notice of entity record changes, at the low price of $35 per year per entity. [IIRC]. Highway robbery. They should do that for nothing as the most basic kind of security (as Colorado does.)

  • sq

    Unless this actually changes the records immediately, this is no more insecure than letting people submit this kind of stuff on paper.

  • Gteichrow

    More typical than you'd think garden variety "security through obscurity". It's the fear of the crazy penalties that go with any kind of civil disobedience/civil hacking that keep someone like me from having a bit of fun on that site, haha.

    Anyways, you've done a good service here just by blogging about this. A more Machiavellian person would find out who in AZ has an ax to grind with whoever at the top is responsible for the site and "fill em in"...

  • lonesnark

    Yes, figure out which companies the governor is most chummy with and go wild on their information. Pity the bureaucrat which acts upon the false information.