Sites Leaking Users' Email Addresses 194
Pisang writes "CNet is running a story about
how spammers and phishers can learn about our surfing habits to better target their attacks. According to the article, web sites that use e-mail addresses as IDs are vulnerable to attacks that could leak their users' email addresses. These attacks are performed by requesting a password reminder for an address or trying to register with it."
register with (Score:3, Interesting)
Re:register with (Score:3, Insightful)
Re:register with (Score:2, Interesting)
I think it would be more time and bandwidth efficient to just throw emails to a@blah, aa@blah, etc and see which ones dont bounce back then to go through a login script f
Re:register with (Score:2)
Re:register with (Score:4, Informative)
Re:register with (Score:2)
Re:register with (Score:3, Insightful)
Re:register with (Score:2)
Yes. You'd better register with something@mailinator.com.
Re:register with (Score:2)
help@127.0.56.2
autoresponder@127.0.
i-know-you-fsckers-have-a-catch-all@localhost
Re:register with (Score:3, Funny)
Now, before you complain, think of it this way: those Borg admins have to have something to do to break the constant monotony of installing buggy patches to Exchange.
Re:register with (Score:2)
Re:register with (Score:4, Funny)
Naaww. My favorite to register on misc. sites is the e-mail address of "Bill.Gates@microsoft.com".
My favorite on annoyingsite.com is to use sales@annoyingsite.com
Re:register with (Score:2)
Re:register with (Score:2)
Re:I'll bite (Score:2)
some sites are complete retarded (Score:2, Interesting)
Disposeable hotmail accounts, anyone? (Score:3, Informative)
Re:Disposeable hotmail accounts, anyone? (Score:2, Informative)
like this one? (Score:3, Interesting)
Double thanks (Score:2)
Thanks from the spammer geeks that read
Thanks from the students who are probably now going to get a new surge of spam.
My employer has a similar type of diretory. I made my point that it was too easy for spammers to collect email addresses. Of course no one believed me. Now everyone one at my work complains about spam. The upper admins want a "silver bullet" spam solution and it takes forever for things to get eva
Re:Double thanks (Score:2)
Only deliver mails encrypted with the user PGP key to them. Everyone else gets an auto-reply to inform them about this policy and the location of the key.
Re:Double thanks (Score:2)
If it doesn't work automagically then it is not acceptable to them.
You and I know the realitiies of dealing with the scum of the Internet but it is going to take a while longer for everyone else to catch up.
Another problem (Score:5, Interesting)
When you register for an account at a website, and that account doesn't ever expire, yet your e-mail address is one that expires if you don't check it, this creates a problem, especially if you have site updates.
Hypothetically, someone registers an account at a travel website. Their e-mail address is used, and it doesn't matter if it is used for a username or not. This account at the travel website never expires, even if you never go back to it again. Yet the company will keep sending you updates concerning their business. Well, if you let your e-mail address expire, and someone else registers it later on, they won't have trouble doing a password request which will allow them into your account, which will contain your personal information.
Re:Another problem (Score:3, Insightful)
This is the reason that most ISPs and web mail providers don't allow anybody to register an email that's been registered at any time in the past.
From the law offices of James Sokolove... (Score:3, Funny)
Have you ever allowed your email address to expire, and, if so, did someone else claim your email address and then go to websites asking them to send your passwords to that old email address?
If so, the law offices of James Sokolove would like to help. Please contact us at http://www.jimsokolove.com/contact/ [jimsokolove.com].
Note that if you cannot remember your account password at jimsokolove.com, then the law offices of James Sokolove will be happy to send a password reminder to your registered email address.
Thank
Re:Another problem (Score:3, Insightful)
I can't believe that's true, even of MSFT -- email addresses should NEVER be reused. Even at my old company where we used "bad" email addresses like "dan@mycompany.com," even if dan left, we'd never reissue that email address, even if it was the new CEO. you just can't do that!
I would however be somewhat concerned about expiring
Re:Another problem (Score:2)
What is it right now? 30 days for e-mail to be deleted? 45 days for the account to expire completely so it can be reregistered? Am I correct on this?
I can agree with e-mail being deleted from the account after a certain period, since it is their space being used up.
I cannot agree with the account expiring in such a short period. Doesn't it take like 7 years for someone to be declared legally dead? I personally would like to see Hotmail ac
Re:Another problem (Score:2)
I had accounts just sitting there for years before. (I suppose that's why they instituted that policy)
Re:Another problem (Score:2)
Why am I saying this? Simply because some people may have forgotten their password to their ICQ account and their profile has personal information they want removed.
Re:Another problem (Score:2)
Rik
Got a Wikipedia Account? Vandals Got Your Password (Score:5, Informative)
As an on-again, off-again Wikipedian [wikipedia.org] responsible for countless edits as well as several full articles, I used to be happy to leave administrative matters there to others. Such was my bliss, anyway, until I stumbled upon something extremely troubling--something that forced upon me an awareness of the project's astonishingly careless attitude toward privacy and security. This is the product, apparently, of an obsession with countering vandalism so all-consuming that administrators are even willing to expose unlucky bystanders to identity theft.
This is what I discovered.
A Wikipedia developer, intending to catch sockpuppet accounts (multiple accounts created by the same individual), queried the user database for a list of accounts whose passwords matched passwords belonging to known vandals and trolls. Hoping the results would be useful to others, he published his findings [wikipedia.org] on his user page. Of course, such a list necessarily included anyone who happened to be using, merely by coincidence, the same passwords as the targeted individuals. As a matter of fact, it seems likely that the dragnet caught at least some people by chance alone. But only the people on the list could know for sure.
That in itself sounds unfortunate, but none too dangerous. The horrifying punchline is this: in publishing the results of his query, the developer had effectively given these vandals and trolls a list of usernames with whom they shared a password. And once so equipped, the vitals of each compromised account--including the email address--were just a login away.
Leaking people's passwords, usernames, and email addresses to anyone is damaging enough, let alone to established miscreants.
Anywhere else, a mistake like this would be acknowledged, the offending information removed, and the potential victims notified. Not so on Wikipedia, where the list spawned nothing but a protracted debate [wikipedia.org] and then a vote to remove the page [wikipedia.org]. In a second blow to Wikipedia's reputability--the first being the mistake itself--the vote finally succumbed to addled logic and shortsightedness, as did a motion to restrict its visibility to site administrators. And so the page has remained linked and visible now for almost a full year, a threat to any innocents listed therein and an affront to anyone with an interest in their privacy and personal security.
Imagine if you were on that list. (In fact, maybe you are.) Wouldn't you wonder how it was possible for Wikipedia to expose your password to malicious users for the better part of a year? Wouldn't you marvel that no one had alerted you?
I don't mean to single anyone out here, which is why I've refrained from mentioning the name of the careless developer. The real indictment, in my view, is of the process that:
It is my opinion that this incident is only symptomatic of a larger problem: Wikipedia's tradition of policymaking by ad hoc polling. It is also, perhaps, a harbinger of disasters to come. A draft privacy policy [wikimedia.org] offers some hope, but interest in its adoption appears to have stagnated.
For the foreseeable future, then, it would be unwise for anyone to entrust their privacy to the Wikipedia site, when the project's developers and administrators have so clearly demonstrated a severe unfitness to guard it, to say nothing of a callous contempt for the real-world safety of contributors.
----
Note: If my anonymity gives you pause to question my credi
Re:Got a Wikipedia Account? Vandals Got Your Passw (Score:2)
so I'm not on the list.
Re:Got a Wikipedia Account? Vandals Got Your Passw (Score:3, Interesting)
You just don't give out info about people's passwords. At all. Yeesh.
Re: Vandals Got Your Password --- DUH (Score:3, Insightful)
Re:Another problem (Score:2)
Yet another good reason to always have a personal email address at a domain name you control. I've used one of two or three domain names for years - when I let an address expire, it's really, REALLY gone. A domain name is cheap, $10/year or less. Most registrars will allow "forward" accoun
Re:Solution - your own domain (Score:2)
Password reminders (Score:5, Interesting)
Another problem with "password reminders" I find is that people put far too obvious answers - for example when I was back at school I managed to gain access to someone's hotmail account because their "secret question" was "what do I do at the weekends?" and he'd been on local TV, newspapers and school newsletter about his football (soccer) refereeing.
Re:Password reminders (Score:3, Insightful)
Like "What is my favorite movie?" then the person lists her favorite movie in her profile.
What they need to do is require four secret questions, all needing to be answered correctly to go on.
A good reminder is not to have a secret question that a background search or a Google search will turn up.
HOW does this help? (Score:3, Informative)
As soon as they get the FIRST question they have the information they need, that this is a valid email address.
If you don't put the email address in in the first place, then you don't need any secret questions at all.
Re:HOW does this help? (Score:2)
I meant all four secret questions need to have all of them answered correctly to go on. Meaning if you get one right, and the other three wrong, it will still say wrong. It won't give any hint that one of those were right. Kind of like how Yahoo! doesn't tell you that part of it is right, when filling our the birthdate, location, and such.
Re:HOW does this help? (Score:2)
1. The phisher doesn't need to answer any of them. As soon as they get the questions they know the email address is valid.
2. If someone's trying to recover their password, how the hell do you think they're going to remember what they answered four questions months or years ago? "First grade English teacher? Wasn't that Atkins? Or did I say Rhonda Atkins? Oh, to hell with is..."
Re:HOW does this help? (Score:2)
Two: Most people tend to have one teacher as their first grade teacher, and still we tend to go by the last name. So if someone were to use that, they'd most likely use just the last name. And if someone can't remember the secret answers to their secret questions four months after the fact, there are probably worse problems going on.
Re:HOW does this help? (Score:2)
I don't see that it helps anyone.
The "secret question" technique is pointless online, whether you have one, two, four, or a thousand questions. The only point to it in the real world is that there's no unique token they can exchange with the person calling to "prove" who they are. Mailing a unique token to the requestor's email address is more than enough security for all the sites I know of that use this technique, they don't need a "secret ques
Re:HOW does this help? (Score:2)
Re:HOW does this help? (Score:2)
I don't think it's OK to have a system that's going to hurt a lot of people just because I'm aware of the problems and can avoid using it.
Re:HOW does this help? (Score:2)
Also, secret questions should be entirely optional. Nothing wrong with the concept of having a randomly created new password sent to an alternative e-mail address.
Re:Password reminders (Score:2)
Re:Password reminders (Score:2)
Re:Password reminders (Score:2)
But as for secret questions, well, even with safeguards in place, someone might be able to find out what the answer is to the secret question. A celebrity's life is out in the open, and with background checks, their life is an open book.
-
Pet names, teacher names, favorite type of stuff, etc., can
Don't PATCH it, FIX it. (Score:5, Insightful)
I've got a better idea. Don't require the user to give you their email address EXCEPT for initial registration. Don't use their email address as their ID. Don't ask for email address for password reset*. Just take the user ID, send the message, and have done with it.
This is a case where there's really no good and easy way to fix the security problem except by backing up and not doing the thing that causes the problem. This is like someone's saying "I want to leave my front door open while I'm not at home, so my cat can get in and out." and then coming up with "Well, you can set up a webcam to close the door when something bigger than a car comes up" instead of "Don't DO that, use a cat-flap".
----
* Why sites do that, I don't know... there's no extra security from having a login name AND and email address typed in by the user, since the verification mail won't go to anyone but the real user... all it does for me is make me generate a new account 'cos I don't know what email address I used to sign up with because of exactly this kind of problem.
Re:Don't PATCH it, FIX it. (Score:2)
Two reasons. One, it provides a good secure mechanism for password recovery. Two, it makes it harder for spammers to autoregister without leaving a trail.
Why do you need registration at all?
To reduce comment spam, mostly.
Re:Don't PATCH it, FIX it. (Score:2)
The free mail account people had been abused by spammers for dropboxes for years before this universal registration stuff started. They already watch for suspicious numbers of accounts from the same sources, and blacklist 'em.
And if they use their own servers they're telling the people they're spamming where their
Re:Password reminders (Score:3, Interesting)
When you create your account, give your public key with it. From then on, they know who you are (at least in a digital way). The services public key can likewise be gotten from their site or a keyserver.
This can presumably be thwarted too but it would be much more difficult.
Re:Password reminders (Score:2)
An easier way... (Score:2)
B.
Add your pros and cons here (Score:5, Interesting)
pros for using email as login:
After reading the article, I've just adjusted my registration page (on my work site, not on sportsdot [sportsdot.org], my perl ain't what it should be) to not give the "pick another account name" if a user tries to register and existing email address. Both success and failure now go to the "Your password has been mailed to ." I send either a success or "this account is already in use" message to the email address. I also stuck on a 3 registration attempts per day per email address whether success or failure to prevent me from inadvertantly spamming.
Re:Add your pros and cons here (Score:3, Interesting)
Re:Add your pros and cons here (Score:2)
Re:Add your pros and cons here (Score:2)
`email` varchar(255) NOT NULL,
as the primary key. How the database then deals with that is an internal issue. I agree with you, best practice is to use something like :
`emailHash` bigint NOT NULL,
Re:Add your pros and cons here (Score:2)
If you create an index on a varchar 'email' field, the the SQL server creates the hashes for you, an with probably with considerably greater efficiency as it has raw database access.
A string select on an indexed field should be no slower than an integer one, if your SQL database is worth a damn. Using your own hashes may be a lot slower - how are you dealing with collisions for example? A round trip to the server to find 10 records with the same hash is a *lot* slower than jus
Re:Add your pros and cons here (Score:2)
Re:Add your pros and cons here (Score:2)
Re:Add your pros and cons here (Score:2)
Re:Add your pros and cons here (Score:2)
Re:Add your pros and cons here (Score:2)
Maximum number of unique domains per ip address? Then you'd probably need a seperate exceptions list for free email addresses...
Yeah, it's probably too hard.
Re:Add your pros and cons here (Score:4, Insightful)
Here's another one, and it ties into the original posting: it's the same problem as using biometrics for identification: using an ID or password that's hard to change. You don't want to use that kind of ID casually, because you want to make sure that people who have your ID have an incentive to be at least as careful with it as you would be.
If you use your thumbprint to pay for a drink at a bar, how good a job do you think the bar is going to do about making sure someone else doesn't game their sensor with a bit of latex on their fingertip? If someone steals your credit card, you can cancel it and get a new credit card. If someone steals your thumbprint you're hosed.
This is the same kind of thing. If someone finds out that there's someone with the handle "fishdan" on slashdot, they don't have anything useful. If they have your email address, they have something useful that's hard to change (look at me, I'm using year-tagged email addresses and I'm thinking of going to month tags). Plus, if you DO change your email address you have to change it EVERYWHERE (which is why I've got spam filters that reject entire countries for my main email address... because I've had it for about as long as personal domains have been available and I'm really loath to dump it).
And because of all this, what this means is that all email addresses have to be treated as disposable, even the supposedly private ones you use for account registration only. Which means that now your email address has the same problem as any other name: you have to remember a bunch of them, you have to remember where you used them, and if you only keep 'em long enough for the verification you can't relogin with the old address.
Re:Add your pros and cons here (Score:2)
In practice, regarding emails, I'm not sure how real a threat it is -- Even though someone may "know" my email address, they won't have access to my email? They can send fake email from me, but the don't have my PGP. Aside from be a potential recepient of SPAM, what is the harm to me that someone knows my email address? Leaving unsolicted email out of the equation for a moment, your email address HAS to be known by
Re:Add your pros and cons here (Score:2)
Read the original article.
The idea is that people are using this technique to target spam and phishing techniques based on where the email addresses in their databases are pointing to. Whether or not you personally care about YOUR address being "surgically targeted", the bigger problem is the effect on the net when a large number of people are targeted like this.
1. Spam becomes mor
Re:Add your pros and cons here (Score:3, Interesting)
(Their implementation of the image/text challenge is awful, though - most of the time, the text is in all caps, but the response is only accepted in lowercase.
Re: (Score:2)
Registration Validation (Score:4, Interesting)
Re:Registration Validation (Score:2)
Re:Registration Validation (Score:2)
Is that you bob@aol.com?
Keeping the spammers at bay (Score:2, Offtopic)
Re:Keeping the spammers at bay (Score:2)
I still get 30 spam e-mails a day (for the record Gmail only lets about 2 or 3 into my Inbox). My guess is it's because my ISP email (also: Issssss@myisp.com) has been used in a dictionary.
Spammers obviously know people are going to be signing up to Gmail.
Re:Keeping the spammers at bay (Score:2)
My experience has been that if I keep an email address away from the web, and never, ever let it appear on any website or directory anywhere, that email address will never, ever get spammed or phished.
Until the machine of one of your contacts gets pwned and your address gets out into the wide world. Although I do the same as you, I still have to rely on a good Bayesian filter.
Re:Keeping the spammers at bay (Score:2)
Typically if your on a provider with a large user base youw ill get spam regardless of the address used because they will even try generating address'.
They don't do it to smaller providers though.
Ocean-centric view of the world (Score:2, Funny)
I believe you miswrote spammers. The word you are looking for is shark and/or dolphin. People get spammers, sharks and dolphins mixed up all the time. You can tell them apart from the dorsal fin.
Re:Ocean-centric view of the world (Score:2)
OK, but what the hell is the difference between a dolphin and a porpise?
Oh, and hopefully the chef knows the difference between a dolfin and a dolphin.
I love challenge/response! (Score:5, Informative)
Do I still get spam? Yes. The 419 scammers can get through. I see one of them once every 6 months or so. I just blacklist them. 2 spams a year is much easier to deal with than 12000. Do I see automated spam? Nope. Haven't seen one of those in my mailbox since 2001.
IMHO, C/R is the best tool that I've seen to allow me to not worry about giving out my email address to others. I wish there was a way in which we could create a small experiment on the internet in which everyone used C/R, and see what happened to spam. My prediction: it would disappear. And when that happened, no one would be afraid to give out their email address. No one would be worried about companies leaking their email addresses. This story would not be interesting enough to make the front page of
(FWIW, I fully understand the argument that says that C/R is bad. [netcom.com] I do not agree with it's accuracy nor it's validity. I'm happy to argue about the merits of C/R, but recognize that a lot of these arguments have been addressed by TMDA and other well behaved C/R. [templetons.com])
Re:I love challenge/response! (Score:2)
I quite fancy using "<first name>@<site name>.surname.com" like "john@yahoo.smith.com" that way I can have all my family using the same method but, unfortunately, my e-mail provider [fastmail.fm] can't support it (yet).
The subdomain will specify the label or folder.
Re:I love challenge/response! (Score:2)
Re:I love challenge/response! (Score:2)
Greylisting [puremagic.com] is a very powerful spam reduction technique that works transparently. The OpenBSD spamd [openbsd.org] daemon has a greylisting modus, and has reduced my spam to a trickle.
Challenge/response can be quite irritating, in particular when someone post to a public mailing list and use
Re:I love challenge/response! (Score:3, Interesting)
Forgot to mention: I use greylisting also. I like it's transparency. However I've found that I have to tweak the wait time. The default time prevents delivery from too many real users. I've settled on 3 mins as a reasonable time.
I don't like heuristic systems (e.g. spamassassin). When they produce a false positive, no one knows. Neither the sender nor the recipient knows that a legit email has been incorrectly iden
Re:I love challenge/response! (Score:2)
Re:I love challenge/response! (Score:2)
My mailing list was getting it in response to all sorts of stuff.. verification emails, standard mailings, etc. The response I got back from some people when I asked them to whitelist the list members was *another* C/R email!
Worse was that most viruses spoof their email address now and C/R systems just become spam generation machines when faced with that influx of virus payload. One of these was so bad I had to report the offender to an antispam list and get him blacklisted (ov
Re:I love challenge/response! (Score:2)
Sold anyway (Score:2, Interesting)
email confirmation before registration (Score:2)
This is really about better CMS design (Score:2, Interesting)
Of course if you post a user's email addy, a spammer is going to find it.
Another step that should be taken, to prevent phishing, is to move to a copy/paste method for VALIDATION. Right now user validation is handled with a clickthrough. This leads to users relying on clickthroughs to get things from your website.
My new cms [scottleonard.ca] is currently being forked into two versions:
Yay for sneakemail (Score:5, Interesting)
catchall email (Score:2)
99% of the spam I get comes from some porn sites I once bought something from. They overbilled and sold my addres, so now I put all the porn I downlo
Gmail (Score:4, Informative)
I believe it is more common . . . (Score:2)
We should ban it now, before it's too late. (Score:2)
We could make a "slight" exception for opt-in newsletters, but any sort of commercial message that has not been explicitly asked for, and signed for in the clearest possible way, should open the sender up to extreme fines. It
Why do I need to register in the first place? (Score:2)
Why do I need an account in the first place? I have far too many accounts as it is, I don't need more.
Case in point: I wanted some book not in any local store, and had a 10% Barns and Noble online discount. I quit the order when they asked for a password. I gave them my address and credit card number. That is all they need to ship the order, I don't want a stupid account, I want the book. There is nothing of my they need to save. I know my address, I have more passwords than I can remember.
Even
This is a simple variation on username searching (Score:2)
The website simply needs to return the same message regardless of whether a username/email is registered or not. Its not highly user friendly, but its a reasonable tradeoff to prevent giving information to people who are not authorised to receive that information. The website can simply say that "if the account name@email.com exists, a password reset email has been sent". It could then explain that it is unable to reveal if an email address is valid to protect th
quite interesting (Score:2)
*YAWN* (Score:2)
Not really (Score:2)
Ok, so you take out some phishers. They will simply keep coming. This is akin to trying to make MS secure; Until you change the underlieing problem, you are simply throwing money into a bottomless pit.
The way to stop phishers is to change the protocol. https helps, but their are problems due to the set-up. The registry companies have gotten greedy and will stop any compition, but allow anybody to register. Big mistake all around.