The Internet is Broken and Here’s How

Okay it’s not, that was a bit of an exaggeration. However, a fundamental way in which it’s used is broken, and it’s broken in quite a serious way.

Your Email is You and You are your Email
Most of the social networking services that we use (Twitter, Facebook, LinkedIn, etc.), as well as most subscription based services on the Internet, use a verified email address as means of user identification. You sign up with your email address and a password, they send an email to your account, that email contains a link, you follow the link, and hey presto! you are verified as being a real live human being. Well, an entity with an email address at any rate.

The Link Between a Person and Their Email Account is Unbreakable
Because an email address is for life, right? Well, I signed up to a lot of these services with an account I had at the domain, which I owned. Time passed and the registrar I used went bust. The “ownership” of my domain became unclear and I was unable to renew it when it was required. To cut a long story short, I lost the domain.

This was annoying, but it only handled my email and pointed to this blog, hosted on WordPress, so I set up a new email address, and thought no more about it.

Forced Password Resets are Good for Security
Time passed, quite a lot of time actually, and LinkedIn managed to get themselves hacked. I didn’t really care, it wasn’t a big problem for me, I use “once only” passwords for everything, so knowing my LinkedIn password only gained a hacker access to my LinkedIn account and LinkedIn had already secured that. I was happy enough, I’d change my password next time I logged in.

You see I’m not a security guy so, in my head, I thought the process would be that I’d log in, I’d be taken to a “change password” page where I’d input a new password and that would be that.

Of course, that’s a dumb idea, as the hacker has my password, so if it worked like that, the hacker could reset my password and lock me out. To stop that, what happens is, next time you log in, you get a message saying that a forced password reset has been triggered and a link has been sent, to your email address, for you to follow and reset your password. This makes perfect sense, only I don’t have that email address anymore.

Coincidently, and almost at the same time, I also got a forced password reset message from Twitter. Same thing. No, you can’t log in now, we’ve sent you a reset link to your email address.

Well that’s annoying, but that sort of thing must happen a lot, so there must be a way to fix it, right? Wrong! A search of Twitter’s support pages tells me I’ve pretty much lost my account, if I lose access to my email address:

Solution: Regain Control of the Domain
Seems the only way I can regain control of my Twitter account is to regain control of my domain, so I set about finding out who has it now. The current owners are hidden behind ShieldWhoIs, so I use the contact form there to see if I can get my domain back.

I get an almost instant reply telling me I can get my domain back for $1,500!

Would the Real Gary Short Please Stand Up?
At first, that just annoyed me and then I got worried, really worried. You see these guys are clearly not the most reputable bunch and all they have to do is issue a password reset to all the services I signed up to and the reset link will come to them, they can then reset it and bam! they are me. A script can be written to automate this, it’s trivial.

Not only are they me on every service I signed up to using that email address, but they are me on any service that I currently use Twitter OAuth to sign into, remember I can’t get into my account, so I can’t unauthorise any of these other services.

Relax, no one Wants to be You!
Right, no one wants to be me per se, but the account is valuable, here’s how. Twitter, in line with many services, has a sophisticated anti spam system that will hunt down and kill spamming accounts, but a real account, that a spammer has gotten control of, that could continue spamming for days or weeks before the spam posts outweigh the years of legitimate posts, and the spam hunting software hunts it down.

There’s Money to be Made Here!
Okay, so even if a spammer can use my account to spam for weeks before being caught, that can still only be worth pennies to him right? Hmm maybe. Let’s say that’s true and each high jacked account is only worth pennies, if you are doing it at scale, then there’s a fortune to be made, and it’s pretty obvious from the above email that whoever has my domain is only interested in making money out of it.

Think about it, there’s 500 million users on Twitter and 1 billion users on Facebook, the intersection of users and domain renewals must be large, and if the spammers pick up even a small fraction of them then there’s a fortune to be made.

Oh the Irony!
If it weren’t so serious, it would be funny. Twitter will not talk to me. They claim they can’t do a thing to help me if I don’t own the email address I signed up with. They do this all in the name of security. They say that the email address is the only way to verify that it’s me. Only it won’t be me, the spammers will use Twitter’s own security protocol to take control of my account, and that same security protocol will prevent me from stopping them.

Twitter Must be Worried, Right?
You’d think so, I mean this represents a potentially large spamming problem that would be very difficult to counter with software, and which could ruin their “pay to promote” advertising model. But as it turns out, they don’t give a damn.

As you can see from the image above, they have no interest in helping me regain control of my account if I lose access to my email. I contacted them days ago, via official channels, and haven’t even gotten an acknowledgement of my concern by way of return.

So What can we Do?
The short answer is nothing, if you’ve lost control of your email address your screwed, like me. If not, make sure you are using an email address that you stand the best chance of holding on to, use a Hotmail address or similar. Also, if there are other means of identification that a service offers you, then take them, no matter that it might seem a pain at the time, trust me, the alternative is worse.

Oh, and pass this around to your friends and family, make sure they see it too.

To end, I’d just like to say: “I’m Gary Short!” Smile 

This entry was posted in Community, Personal, Technology and tagged , . Bookmark the permalink.

11 Responses to The Internet is Broken and Here’s How

  1. Jan says:

    That sucks. People like Daly make money by stalking recently lapsed domains and taking them over. They play the numbers game: the investment in the domains is paid back every time they find someone who will cough up for a domain they really wanted. As long as you (or any other Gary Short) isn’t interested, they will eventually let it lapse because it’s unlikely to earn them anything. I guess you’ll just have to stalk them for a while to check when that’s going to happen.

  2. Phil Cross says:

    Gary – give me a call – Phil Cross – there may be a way to help….

  3. craignicol says:

    Definitely worth remembering, and it won’t help you unfortunately, but I have noticed several companies are aware of the problem : Google, Yahoo and LinkedIn have all recently asked me to confirm an email address (and Yahoo asked for a mobile number so they can text my token instead) to make sure their records are up to date. A few allow you to set up multiple email addresses (which has problems of its own however)

  4. craignicol says:

    I’m Gary Short, and so is my wife.

  5. Mel Grubb says:

    Well played, craignicol. Well played.

  6. Rehearse your presentation while you jog, or make calls on the drive home instead of at the office.
    People send emails to friends, go shopping, download files, look at pornography, play games, gamble and read classifieds and other adverts for
    a better job, or an easy method of earning more money.

    how to hack facebook or myspace account password automatically
    fails your privacy settings for you to public.

  7. Marilou says:

    Quisiera comentar aquí como muestra de apoyo

  8. What’s up, I log on to your blog like every week. Your writing style is awesome, keep up the good work!

  9. I do trust all of the ideas you’ve presented to your post. They’re very convincing and
    can certainly work. Still, the posts are very quick for novices.
    May just you please prolong them a bit from subsequent time?

    Thanks for the post.

  10. Frances says:

    Password file folders should be encrypted and open source code
    to ensure the company who made it is not dirty.
    In this world, your guard is as down as it will ever be.
    Hackers generally have handles or nicknames they use when communicating.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s