Sunday, July 11, 2010

Revoking internet access of people who can't remember their own damn email address. Become a fan!

My gmail address is rather simple.  Maybe a little too simple.  First initial, last name.  That's it.  Consequently, my spam folder is always full.  I don't see the vast majority of this, so it's a relatively minor annoyance at best.

But there's another type of unwanted, unsolicited mail I get that can't be avoided so easily.  Mail from people who can't enter their own email address correctly.  My last name is very common, so it's a phenomenon that started for me years ago.  Back then, when it was relatively minor, I used to actually bother to forward the messages to their rightful owner, when I could determine it.  Nowadays, this is starting to happen literally every day.  Every.  Single.  Day.

I'm not talking about dictionary spammers.  I'm talking about people with the same first initial and last name signing up for an account on a website using MY email address because they failed to type in the 0720 if their address was

What this allows me to do is to access the website from which the offending email originated, use the "forgotten password" mechanism, wait for the site to deliver the "forgotten" password, and I now OWN this user's account.  Which leads me to my next point.

It's not just the user's who are asleep at the wheel.  It's the WEBSITE where the user created their account that is guilty as well.  Since so few of these sites bother to take their users' privacy seriously and validate the email addresses people use to sign up, this type of critical vulnerability in the site's account creation process is absolutely rampant.

Today, I've been getting deluged all day with messages from facebook about friends and family accepting friend requests.  People I don't know.  Someone used my email address to sign up their facebook account.  I did a bit of probing to make sure that it wasn't someone posing as me to perpetrate something, but it's just someone else not being careful with their email address.

But it doesn't just stop with social sites.  I receive plenty of email from UPS, for example.  I can easily access a couple of people's UPS accounts, see their home addresses, could potentially redirect shipments at will.  On other sites, I have access to several people's private information, physical mailing address, social security numbers, DOB, bank information, you name it.  I have a boilerplate chastisement that I send to the offending sites that I hope is an eye-opener for them.  These sites' failures to take the extremely simple steps of validating someone's email address could potentially be opening them up to serious lawsuits.

Not only that, but social engineering hackers are becoming more and more devious.  I'm absolutely certain that there are some of them who specifically create accounts with simple usernames on web-based email sites like gmail for this very purpose.  They just lie in wait for someone failing to be cautious with their private information and before you know it, you're getting calls from the bank because you just spent 10 grand in three different countries in 5 minutes.  Given who often it's happening for me with my email address, I'm surprised this hasn't received more publicity because I'm positive it must be quite lucrative for the Bad Guys ™.

I'm starting to think that this might be the new cup-holder of our internet today and I'm the one who should be telling them they're too stupid to own a computer.


No comments:

Post a Comment