Okay it’s not, that was a bit of an exaggeration. However, a fundamental way in which it’s used is broken, and it’s broken in quite a serious way.
Your Email is You and You are your Email
Most of the social networking services that we use (Twitter, Facebook, LinkedIn, etc.), as well as most subscription based services on the Internet, use a verified email address as means of user identification. You sign up with your email address and a password, they send an email to your account, that email contains a link, you follow the link, and hey presto! you are verified as being a real live human being. Well, an entity with an email address at any rate.
The Link Between a Person and Their Email Account is Unbreakable
Because an email address is for life, right? Well, I signed up to a lot of these services with an account I had at the garyshort.org domain, which I owned. Time passed and the registrar I used went bust. The “ownership” of my domain became unclear and I was unable to renew it when it was required. To cut a long story short, I lost the domain.
This was annoying, but it only handled my email and pointed to this blog, hosted on WordPress, so I set up a new email address, and thought no more about it.
Forced Password Resets are Good for Security
Time passed, quite a lot of time actually, and LinkedIn managed to get themselves hacked. I didn’t really care, it wasn’t a big problem for me, I use “once only” passwords for everything, so knowing my LinkedIn password only gained a hacker access to my LinkedIn account and LinkedIn had already secured that. I was happy enough, I’d change my password next time I logged in.
You see I’m not a security guy so, in my head, I thought the process would be that I’d log in, I’d be taken to a “change password” page where I’d input a new password and that would be that.
Of course, that’s a dumb idea, as the hacker has my password, so if it worked like that, the hacker could reset my password and lock me out. To stop that, what happens is, next time you log in, you get a message saying that a forced password reset has been triggered and a link has been sent, to your email address, for you to follow and reset your password. This makes perfect sense, only I don’t have that email address anymore.
Coincidently, and almost at the same time, I also got a forced password reset message from Twitter. Same thing. No, you can’t log in now, we’ve sent you a reset link to your email address.
Well that’s annoying, but that sort of thing must happen a lot, so there must be a way to fix it, right? Wrong! A search of Twitter’s support pages tells me I’ve pretty much lost my account, if I lose access to my email address:
Solution: Regain Control of the Domain
Seems the only way I can regain control of my Twitter account is to regain control of my domain, so I set about finding out who has it now. The current owners are hidden behind ShieldWhoIs, so I use the contact form there to see if I can get my domain back.
I get an almost instant reply telling me I can get my domain back for $1,500!
Would the Real Gary Short Please Stand Up?
At first, that just annoyed me and then I got worried, really worried. You see these guys are clearly not the most reputable bunch and all they have to do is issue a password reset to all the services I signed up to and the reset link will come to them, they can then reset it and bam! they are me. A script can be written to automate this, it’s trivial.
Not only are they me on every service I signed up to using that email address, but they are me on any service that I currently use Twitter OAuth to sign into, remember I can’t get into my account, so I can’t unauthorise any of these other services.
Relax, no one Wants to be You!
Right, no one wants to be me per se, but the account is valuable, here’s how. Twitter, in line with many services, has a sophisticated anti spam system that will hunt down and kill spamming accounts, but a real account, that a spammer has gotten control of, that could continue spamming for days or weeks before the spam posts outweigh the years of legitimate posts, and the spam hunting software hunts it down.
There’s Money to be Made Here!
Okay, so even if a spammer can use my account to spam for weeks before being caught, that can still only be worth pennies to him right? Hmm maybe. Let’s say that’s true and each high jacked account is only worth pennies, if you are doing it at scale, then there’s a fortune to be made, and it’s pretty obvious from the above email that whoever has my domain is only interested in making money out of it.
Think about it, there’s 500 million users on Twitter and 1 billion users on Facebook, the intersection of users and domain renewals must be large, and if the spammers pick up even a small fraction of them then there’s a fortune to be made.
Oh the Irony!
If it weren’t so serious, it would be funny. Twitter will not talk to me. They claim they can’t do a thing to help me if I don’t own the email address I signed up with. They do this all in the name of security. They say that the email address is the only way to verify that it’s me. Only it won’t be me, the spammers will use Twitter’s own security protocol to take control of my account, and that same security protocol will prevent me from stopping them.
Twitter Must be Worried, Right?
You’d think so, I mean this represents a potentially large spamming problem that would be very difficult to counter with software, and which could ruin their “pay to promote” advertising model. But as it turns out, they don’t give a damn.
As you can see from the image above, they have no interest in helping me regain control of my account if I lose access to my email. I contacted them days ago, via official channels, and haven’t even gotten an acknowledgement of my concern by way of return.
So What can we Do?
The short answer is nothing, if you’ve lost control of your email address your screwed, like me. If not, make sure you are using an email address that you stand the best chance of holding on to, use a Hotmail address or similar. Also, if there are other means of identification that a service offers you, then take them, no matter that it might seem a pain at the time, trust me, the alternative is worse.
Oh, and pass this around to your friends and family, make sure they see it too.
To end, I’d just like to say: “I’m Gary Short!”