How Yahoo! replied to email identity theft concerns, after recycling email accounts
Could another person obtain access to sensitive personal information like my account numbers, pins, passwords, social media accounts, bank accounts etc? It seems that in our days there is no such thing as “sensitive personal information”.
After more than 3 months, users who obtained recycled email accounts from Yahoo! and have been using them for quite some time, declare that identity theft concerns do exist, after this procedure. Those users, according to Informationweek, seem to receive in their Inbox, not only marketing emails intended for the previous owners, but also accounts and pin numbers, and have access to various other information, like names, physical addresses or whatever you might think.
New account holders were interviewed to express their experience. Here’s an interested quote from the interview of an IT security professional, who signed up and became the holder of a recycled email account.
“I can gain access to their Pandora account, but I won’t. I can gain access to their Facebook account, but I won’t. I know their name, address and phone number. I know where their child goes to school. I know the last four digits of their social security number. I know they had an eye doctor’s appointment last week and I was just invited to their friend’s wedding. The identity theft potential here is kind of crazy.”
And it doesn’t stop: Imagine court information, airline confirmations, funeral or wedding announcements, party invites, applications etc. So it is not just about unsubscribing from some mailing list. Another software executive mentioned:
“It’s clear that while the previous owner of the email account supposedly hadn’t logged in for a while, she was still actively giving out that email address”.
This is what we previously warned about email accounts that forward emails to other accounts. It is obvious that this person was receiving emails to another account, where she was logging in quite often. Now the original address belongs to somebody else.
In an effort to explain the difficulties in the procedures, Yahoo reveals that in some cases, the email bounce method was not enough to convince institutions and senders that the email address was no longer valid. The signals that Yahoo were giving off to inform senders that they should no longer send any email to this address for the old owner, were not being recognized. So emails continue to be sent.
In a statement to InformationWeek, Dylan Casey, senior director of platforms at Yahoo, said a couple of weeks ago they were working with companies to implement the RRVS email header standard (https://tools.ietf.org/html/draft-wmills-rrvs-header-field-00) .
This document defines a header field to be used on emails, called “Require-Recipient – Valid – Since”. The content of this header field is a timestamp indicating at what point in time the message author believed the address to be under confirmed ownership of a specific party. If the receiving system observes this field and can determine that the intended recipient mailbox has changed ownership since the provided timestamp, it can decline delivery, preventing possible misdelivery of mail.
Finally, last week, Yahoo announced the new ‘Not My Email’ button that would be added by the end of the week to the newly obtained accounts, which gives owners of these user names the ability to ‘return’ messages that were not meant for them. The button, which will be easily accessible from the Yahoo Mail inbox, will allow users to reject mail that isn’t theirs. This will function in a similar manner to the way you can put a ‘not at this address’ message on physical mail that comes to your house by mistake by the postman.
And the question rises: Have we reached back in the age of misdelivered direct mailings, with “not-my-address” messages on envelopes? In a way we have. Every age faces similar problems, with similar solutions, in a different environment. Let’s hope it turns out nicely.