I ran into an issue with a service that I was using earlier today. I won't mention any names to protect the (not so) innocent, but it struck me as a pretty big security problem.
I needed to access the service's website, but I forgot the password that I used when I signed up. Unfortunately I was with another company when I created my account, so I no longer had access to the email address I used when I created the account. I sent them a polite message (very slightly paraphrased):
I'm trying to get access to my account. I changed jobs over the summer and no longer can access the email address myemail@somewhere.com but I'm hoping I can change the address. Thanks!
I expected to have to call in, verify some security information, tell them something, ANYTHING to prove that I was who I said I was. Instead, I got the following reply (to a different email address) only 92 minutes later (again, slightly paraphrased):
I am sorry to hear you are encountering issues accessing your account. Please use the following link to provide a new password for your account.
https://a.url.where.i.can.easily.reset.my.password.with.no.further.verification.com
Once you are logged in go to "my account" and change the email address listed in your profile.
Maybe I'm reading too much into this... but in 2013, shouldn't we have better security than this? I literally could have been ANYONE sending this message. Fortunately there are no credit card details saved in my account, but I think this was too easy.
Do you think I'm overreacting here, or do you think companies have more of an obligation to determine identity in this situation? Please share your comments below.
I needed to access the service's website, but I forgot the password that I used when I signed up. Unfortunately I was with another company when I created my account, so I no longer had access to the email address I used when I created the account. I sent them a polite message (very slightly paraphrased):
I'm trying to get access to my account. I changed jobs over the summer and no longer can access the email address myemail@somewhere.com but I'm hoping I can change the address. Thanks!
I expected to have to call in, verify some security information, tell them something, ANYTHING to prove that I was who I said I was. Instead, I got the following reply (to a different email address) only 92 minutes later (again, slightly paraphrased):
I am sorry to hear you are encountering issues accessing your account. Please use the following link to provide a new password for your account.
https://a.url.where.i.can.easily.reset.my.password.with.no.further.verification.com
Once you are logged in go to "my account" and change the email address listed in your profile.
Maybe I'm reading too much into this... but in 2013, shouldn't we have better security than this? I literally could have been ANYONE sending this message. Fortunately there are no credit card details saved in my account, but I think this was too easy.
Do you think I'm overreacting here, or do you think companies have more of an obligation to determine identity in this situation? Please share your comments below.
In case it wasn't obvious, the URL they provided gave me the ability to reset my password; I then had full access to the account.
ReplyDeleteThere is no tool more powerful in the modern day for bypassing the strongest of encryption methods and the most stringent security measures than simple social engineering. This same technique when applied maliciously can be used to obtain banking details, email accounts, or worse Until we can remove the human element from security procedures, they will always be as vulnerable as the weakest willed employee involved.
ReplyDelete