Thursday, January 15, 2015

Email addresses and authentication of online accounts

Recently I've started thinking about the problems with the security of using "free" email addresses as the main method of personal authentication and control of important / sensitive online accounts. This all started because someone signed up for a account with *my* "free" email address after also attempting to retrieve usernames and reset passwords for a few other accounts using the same email address over the course of two days. (Not including, as I've never had an account there.) I logged in and changed my passwords to my more sensitive accounts, just in case... It didn't seem like a case of hacking, since the person also registered a new Toshiba laptop and was likely attempting to log in to things for the first time in awhile.

I've used the email address in question since at least 2006 as my main email address and have signed up for dozens of accounts with it over those years. The email address is based on my name without any numbers or any filler since I was the first one to get to it.

It appears that the person has a similar name (same first initial and same last name, at least) according to the info contained in the welcome email from match, but he (unfortunately) doesn't know what his email address is. Another thing that was VERY odd to me was that they ( sent both the username and plain-text password for the new account in the initial welcome email. Not like it needs to be crazy-secure, but it's possible there's sensitive information that the user has entered there and then accidentally sent control of to someone else.

In researching how to get rid of my email address on the other person's account, without logging into it, it seems that their policy is to contact support to cancel the account. Which I did, via their website, when I received the welcome email. After 3 days with no response from support and continuing to get emails at least 1-2 times daily from them for three days, despite attempting to unsubscribe from those emails every time I received them, I decided to delete the account.

So, this morning I logged in with the plain-text username/password from the welcome email and deleted the account. Thanks for nothing, support. I didn't want to have to do that, but I also don't want to see the all of the "matches" that he may be eagerly anticipating and not getting... and you probably don't have any way to contact him to actually correct his email address, since all he likely gave you was *my* email address instead of his.

I'm expecting to get another account welcome email today when the poor guy tries to log in again and finds his account deleted and builds another account. Maybe/hopefully he figured out his correct email address by now? If not, at least I know they'll send me the username/password and I can do it all over again.

I had a similar experience with Wells Fargo last year when someone signed up for online banking using my email address (because they forgot one character in their email address, based on their name). It took *me* multiple emails/phone calls to get that straightened out (for them). I'm not sure they had any idea they had entered it wrong and if they did, they didn't try to change it for awhile... Fortunately, that experience seemed a little more "secure" in that they didn't give me enough info to get it on my own directly, however (thinking back on it) I probably could have reset the password, since the confirmation likely would have come to my email address. I didn't want to have anything to do with messing with their bank account, though.

I'm feeling kind of fortunate that I don't have a common name.

I think it's time to take an inventory of all of the accounts I have signed up over the years and clean them up and then find more secure ways to control my own accounts so that I don't have to rely on a "free" email address from a large, for-profit corporation that I also don't trust completely with all of the power I've given them as the (in most cases) sole way to control access to the accounts I've signed up with it.


(Sorry for yelling!)

No comments :