All posts in Photography Workflow

Have Your Online Galleries Been Hacked?

Are Your Boudoir Clients Photographs Safe and Secure Online?

Today in one of the boudoir forums that I frequent, a member posted about her discovery that there was a forum for voyeurs who were hacking their way in to boudoir galleries online. They weren’t stopping at boudoir galleries though — they were logging in to family galleries, and I’m sure other session galleries.

These people weren’t using the usual hacking methods though, at least not at first. They were actually just finding the path to the gallery and from there guessing the password.

Oh, and they started the thread in 2012. [Corrected. This post originally said November, 2013.]

It just took us until 2014 to find out about it.

More recent posts on the thread talked about using extortion to get money from the women in the galleries that they had found. Yes, threatening to post photos to Facebook unless they were paid off.

Then there were the threads about how they had figured out that they could potentially “scrape” all of the galleries from Red Cart, gaining EVERY PHOTO POSTED there. Boudoir or not. Boudoir was what they were after though.

Voyeur Forum RedCart Scraping of Boudoir Photographs

They weren’t just going after online proofing sites (SmugMug, ZenFolio, and RedCart were all mentioned in their thread), but they were also going after online album proofing sites.

Voyeur Forum Suggests Hacking Album Company Site

Now you might think that your online gallery software or your album proofing company should be doing something to protect you from this hacking. The thing is, if you read their Terms of Service? Every single one of them has an “out” written in to their contract. It is your responsibility to make sure your passwords are secure. Beyond that, if someone gets in to them? Not their fault. (*I could argue that RedCart has a bigger issue on their hands if they were figuring out how to pull down every image on their site. Right now isn’t the time for arguing. Right now is the time to FIX THIS situation.*)

Here is SmugMug’s Terms of Service and here is ZenFolio’s Terms of Use and Privacy Policy.

SmugMug's Very Standard Security Information

SmugMug’s Terms are pretty much the industry standard for ANY hosting service. Their responsibility is limited. It is your responsibility to keep your client’s photos safe.

UPDATE: If you are a Zenfolio user, a photographer started a feature suggestion that people can only guess a password 3 times before being locked out of a gallery. If any of you would vote for it, please go here.

The forum has now moved the post to their “Member’s Only” section, so we can’t see what they have added to it at this point. At the time that the post was moved, the thread was 121 pages long.

Thing is, this may be the one forum that we know about, but I promise you – it is NOT the only forum out there with information like this.

Protecting Your Clients

Ok, now that we are all sufficiently panicked about this, let’s talk about what we can DO about it.

1. Never post your client’s images online, ANYWHERE. Realistically, that is the only safe & secure method to use. I went that route a few years ago when we caught someone trying to hack (truly hack, not just guess at passwords) their way in to my online gallery software that I hosted on my own server. I don’t post my boudoir client’s images online. We meet in person to view the images. (I’ve talked before about my whole In Person Viewing process in these posts: overcoming your fear of in person sales sessions, boudoir photography workflow – preparing for in person sales and the magic of in person sales sessions.)

I do however use an online album proofing company and an online slideshow option. I am considering discontinuing both of those services after today.

But I HAVE to do Online Proofing! (Insert reason here.)

Ok, so option #1 isn’t an option for you, for whatever reason. You simply must post your photos online for them to see them.

2. Use a SECURE password. Using your client’s name? Not a secure password. Using “boudoir”? Not a secure password. Using “sexy”? Not a secure password. These and many more obviously easy to guess passwords were being passed around in this forum. An entire boudoir photographer’s gallery was linked, and every single session used the first name as the password. Yes, they worked. No, that is NOT secure. WORDS, no matter how unique they are to your client, are not secure.

(Want to learn more than you ever wanted to know about password security? Wired Magazine – Secure Passwords Keep You Safer and the scary story of how Mat Honan’s entire world was hacked, Wired Magazine – Kill the Password: Why a String of Characters Can’t Protect Us Anymore.)

3. Have a clause in your contract limiting your liability if your galleries are accessed. Do you want your clients coming after you if someone got in to your galleries and took their photos and posted them all over Facebook? No? Then you need to talk with your lawyer to make sure you are protected in case this happens to you. (Yes, just like SmugMug, ZenFolio, and RedCart have in their Terms of Use.) Make sure that your clients understand that no password is EVER completely safe.

Make sure you understand that too. No password is ever completely safe. It is not a matter of if you will be hacked, it is a matter of when. You need to put photos online with that understanding.

From now on, if I ever have to put a gallery online for any reason, I will require my clients to sign a special release for the gallery going online. This is something you should consider not just for boudoir sessions, but for any client. Make sure your client is aware that the photographs could be compromised. For example, some parents do not want their children’s photos viewed by anyone.

4. Be obscure about where your galleries are located at. “One of the best security measures in the online world is “obscurity” otherwise known as “security through obscurity”.

Basically if you have online galleries that you want protected, don’t add them to your main gallery list or your site’s navigation. At Fotomerchant we call them “ghost” pages and only people you give the unique URL to will even know the page exists.

Also, make sure the pages are NOT listed in your sitmap.xml and that your robots.txt does not allow full site crawling and then Google will never know they exist either… Unless you post a link to the gallery somewhere public!

Obscurity is one of the only measures that requires human knowledge in order to crack it” — Derek Clapham, co-founder of FotoMerchant, in response to a private forum post I made about this situation this afternoon.

However, private, hidden, unsearchable galleries were on that list that we discovered. Just making it obscure wasn’t enough for them when they were determined. In some cases, “they were able to find these hidden pages due to the nature of their URL design. It was predictable and based on a number sequence”, said Derek.

5. Pull expired galleries offline. When possible, use FTP to make sure the images are completely removed. If you let the gallery expire and it is still online, the photographs are still stored on a server somewhere. Servers can be hacked, your files can be accessed. Remove them from the server completely when you are done with the gallery or album proof.

Once something goes online, it is never completely safe

Even if you do all of the things listed above, are your client’s photos still secure?

No.

No, they are not.

Hidden, not listed, not linked, unsearchable galleries? ALL were in that post discovered today.

Once these people found the easy to target galleries, they pushed on to find the harder to discover ones. They figured out how to move up and down the gallery structure of the software. How to change the string text to get to a gallery. They kept looking. For almost two years they have been looking. Some in the thread mentioned “let me check my documents of the ones I’ve gotten in to” — so even if this thread disappears, there are others out there, and private files that people keep.

Photo Credit: ~Brenda-Starr~ via cc

Preveal Sale & Giveaway!

Preveal App for Photographers

Now that we have talked about how I handle In-Person Sales Sessions, the timing could not be better to share with you that the Preveal app is on sale! Purchase it between now & May 24, 2013 and receive $25 off of the normal price.

Preveal brings the power of showing your clients their images on their walls to your iPad. With easy step-by-step instructions, your clients gather photographs of the places in their home that they would like wall art (or you go to their home and take the photos for them), and you can then show your clients exactly how the photographs will look in their home. You can show them a variety of wall gallery collections as well as showing them how single large outwork pieces will look. Ever had that client that wondered if an 8×10 print would look great over their fireplace? Now you can show them that it is too small, and what size will be more appropriate.

To go along with Preveal, make sure you get a copy of DesignAglow’s free guide for clients to photograph their home for the wall displays. The educational guide “teaches your clients how to take a well composed, properly scaled image of their home’s future wall gallery location.”

Not only is the app on sale, but Preveal is hosting a giveaway as well! You can enter to win a chance at over $1000 in prizes, including a chance to win a mentoring session with me! To enter, visit the Preveal blog and follow the instructions for the contest.

The goodies that are up in the contest that you could win?

Visit the Preveal blog to enter and win! But hurry, before the contest ends on May 24th! And don’t forget to pick up your copy of the Preveal App while it is on sale!

The Magic of In Person Sales Sessions


The Magic of In Person Sales SessionsWe’ve talked about why we should get over our fears and do In Person Sales, and I’ve shared how I prepare my work for In Person Sales Sessions. Whether you show your clients 30 images or 130 images, fully edited or hardly adjusted at all, the next steps are both the easiest and the hardest part – the In Person Sales Session!

This part really is magical to me. After years of being afraid of it, I am still amazed at how much happier my clients are when I work with them to select the perfect images for their needs.

To be Clear, You’re Only Selling What they WANT to Buy

Your clients came to you to take photographs. Their ultimate goal is to have a great experience working with you, and to have those photographs when it is all said and done.

In the end, you’re not selling anything. You are helping them to purchase exactly what they want. They walked in the door wanting these photographs. Now we have to get you over the hurdle of letting them purchase them.

Educating Your Client

When I switched to In Person Sales, I expected people to push back on the idea. They don’t, and that really surprised. I convinced myself for years that no one wanted to take more time to go through their photos with me, and that they might even be uncomfortable because they are boudoir images. Silly, isn’t it? Since I’m the one that took the photos?

The reality is that they are working with you, the expert, for a complete experience. They value your opinion & advice when it comes to their photographs. It makes perfect sense that they want your help with them!

Most of my clients thank me afterwards for doing this with them in person, helping them out with their selections. They all express how much easier it is for them. I wish I could go back in time and do it for all of my clients!

I make a point to talk from the time that they book about the consult that we are going to have after their session. I mention it again the day of their session. We set it up for 1-2 weeks after the session, but I have done them as soon as two hours after the session for who are in town for their session. As long as you tell them in advance that this is how you do it, most clients will gladly meet you to view the photographs in person. (Note, I said most. Not all. There are a few who want to view them online. I don’t allow it though, as per my privacy policy of not posting anything online.)

Where Do the In Person Sales Sessions Take Place

I have a studio space, so my appointments almost always take place there. If you do not have a studio, you could meet at a coffee shop, a wine bar, or at the same hotel where your client did their session. Your home or theirs. Select a location that fits your brand and style. Choose a place where you won’t get distracted or interrupted. If you use a computer for your sessions, try to find somewhere where you can sit in a corner, avoiding any prying eyes.

Who Should Come to the In Person Sales Session

I’ve started suggesting to my clients that if this is a gift for their spouse, they may want to bring them to the viewing session to unveil the photographs. So far, no one has taken me up on that offer in the past year; almost all of my clients have done gift sessions. I still think it is a great idea – that way, she can choose her favorite photos, and he can select his favorite photos as well. Maybe even make two albums instead of one – one for each of them!

How Should You Present the Photographs

I display my photographs for my clients on my 13″ Apple MacBook Air Laptop. I use Adobe Photoshop Lightroom 4 to go through the images with them. Another option would be to use 4×6 Proof Prints. Both work well as a way to sort them, organize them, select your favorites. The biggest thing is to have a system.

My In Person Sales Sessions

  • I greet my client, offer her something to drink, and we catch up. We sit side-by-side on the couch in my studio space.
  • I show her the Animoto slideshow I have made. It normally is about 3-4 minutes long, and I choose a peppy, upbeat song to go with it. I put 60-70 images in mine, so they aren’t displayed for long. Just enough to give her a taste. This seems to calm the nervous energy over seeing the photos for the first time.
  • Now it is time to dive in! I explain the process first, so she will know what to expect. We are going to go through the final images one time, rating the images with one star if she likes it. Quick and easy, go with her gut instinct. If there is hesitation, I still keep it. Ready, set, go!
  • We go through all images and give the ones she likes a 1 star rating. Quick, quick. Just a yes or no. If she shows interest in liking a particular image a lot, I give it 2 stars.
  • Once we have narrowed them down, I sort by the star rating and let her know how many images she chose. It is at this point I hand her my pricelist again. We talk about what albums I offer, which style & size she likes the best. State a price for things, and then stop talking. This used to be my biggest weakness. If I sensed any pause from them, I wanted to start knocking the price down to make the sale. No, no, no! Just … stop. Here is the price. If your client is silent, they may just be thinking. “Hmm, if I don’t buy that purse I was thinking about getting, I can upgrade to the larger album that I like more.” This may look to you like she doesn’t want to buy it and you’ll start rambling and before you know it you took $200 off the price and now maybe she will buy it and this is so stressful because what if she hates all the photos UGH! See? Don’t go there. Here is the price. Stop talking. Unless she asks questions, then answer those.
  • She has the pricelist, she has the sample albums, she knows how many photos from the session she likes — now it is time for me to ask her what she would like to do with her photos. An album or a book? Wall art? Gift prints? Digital files? Once I know this, we can move on to the next step.
  • Now we need to narrow down the images. I use the Grid mode in Lightroom (the Library screen) to do this. We pull out obvious duplicates or photos that are similar to each other, looking at the images using Lightrooms Compare function.
  • Once we get to the final images for the album selection, I then note which images she wants for prints, and if she wants to add the digital files.
  • I do the math on the total and take her payment. Most pay for it in full there; some ask for payment plans, which I do offer. I do not order or deliver products until I have been paid in full.
  • That is My Process, What is Yours?

    Everyone does this a little differently, and we can all learn from each other. This is the process that I go through. What is yours?

    Coming up, I’ll be talking more about other apps you can use to help your sales process. For now, Lightroom and a computer? All that you need. This is easy. You can do it!

    Photo Credit: linh.ngan via Creative Commons License