Gaining Info On Tech Execs With Just Their Email

jfruh writes "Did you know that Craigslist founder Craig Newmark has a loyalty points account with the Starwood hotel chain? Did you know that both Tim Cook and Steve Ballmer have Dropbox accounts? All this information — and much more — can be found out because so many prominent executives use their corporate email address for their account logins, and most sites make it possible to see if an email address is associated with an account even if you don't have the account password. Just knowing that such an account exists can lead to technical and social engineering attempts to crack it, as happened in the case of Wired's Mat Honan."

Any way around this?

[jbuk]

Is there any alternative to throwing out a "this email address is already in use" error if a user attempts to register with someone else's email?

Re:Any way around this?

[jeffmeden]

Is there any alternative to throwing out a "this email address is already in use" error if a user attempts to register with someone else's email?

Sure, flag the account for extra auditing in the following x number of hours. Or, start any registration with an email call-back and let anyone "start" the registration even if it exists, and in the email just put "you're already registered, your work here is done. That or, someone is trying to hack you, please ratchet paranoia accordingly". Since you shouldn't be registering with an email that isn't yours and the web page will just be a "please check your email for registration info" this will not tell the illegitimate user anything useful.

Re:Any way around this?

[omnichad]

Sending the verification email at this step before letting them pick a password or complete their profile. The web site acts like it's a new account registration. The contents of the email sent will tell you whether it's already been registered or if it's a new account - and the link would either be to reset the password or to continue creating the account.

That seems to do it. It's not terribly convenient for some, but it shouldn't be that much worse than the already existing email verification you see every day - just at an earlier step.

Re:Any way around this?

[vlm]

in the email just put "you're already registered, your work here is done. That or, someone is trying to hack you, please ratchet paranoia accordingly"

And if you're trying to attack an enemy on that site, its something of a three sided coin flip if you're better off freaking them out by re-registering them exactly once, or once per day psuedo-stalking, or a thousand times per hour mailbomb.

Re:Any way around this?

[chill]

Yes, display a "registration confirmation e-mail sent" and do it early on in the process. Require a confirming click before continuing.

Send the e-mail. In the e-mail have a statement like "you already have an account -- would you like a reminder? If you didn't try and register here, just ignore this."

The person looking for active accounts by rejection on the web site gets no feedback. Problem solved.

Re:Any way around this?

[jeffmeden]

in the email just put "you're already registered, your work here is done. That or, someone is trying to hack you, please ratchet paranoia accordingly"

And if you're trying to attack an enemy on that site, its something of a three sided coin flip if you're better off freaking them out by re-registering them exactly once, or once per day psuedo-stalking, or a thousand times per hour mailbomb.

You could cap it at one message per day, week, etc. The message doesn't really have to be sent ever since it's for a registration that will not take place, except for the case where the user forgot they had an account altogether and are trying to create a new one, so you want some kind of personalized notification of such an incident. Once a week is probably enough to avoid having someone forget about it before they do it again. Also, you could give the option to turn the notification off entirely if you are indeed being "e-Stalked" by some masked marauder.

Re:Any way around this?

[vlm]

So basically these sites are stealing the abuse-prevention system of another site instead of implementing their own.

Only stealing if they don't have permission. They are collecting all kinds of tasty data mining information in exchange for hosting a login service. So FB knows when and where and who is logging into my local newspaper to post inane comments to their newswire stories. Because 99% of the newspaper site comments are repetitive political sloganeering spam that means FB knows exactly who are not-too-bright active proselytizer political "true believers", on one side or another anyway. That's monetizable information when you sell a mailing list to political parties. Title of the spamlist is probably something like "recently active political activists in zip code 12345" Some database JOINs can fine tune the list to your specific target audience.

Re:Any way around this?

[KhabaLox]

"real" companies like the world's largest retailer (guess who) does exactly what you are proposing. No files come or go by HTTP or email. No thumb drives are available on any workstation attached to the LAN. Services like Dropbox are completely off the table.

I'm guess you're talking about a company like Wal-Mart. Are you saying that the Procurement department there can't receive any PDFs, spreadsheets, word docs or any other file from a prospective supplier via email? I'm pretty sure that's not correct. I used to work for a food company that did business with both Wal-Mart and Sam's Club, and I don't ever recall getting a request for help sending files to them (and trust me, my users would not have been able to follow whatever instructions they were given for alternative delivery methods).

I currently work for a large post-production company in the entertainment industry, where security is a big deal. But they don't impose the draconian security measures that are required for the production areas/networks on the rest of the business. The HR and Finance department have their own security needs (physical and electronic) that are different from Operations, and it wouldn't make sense to apply one rule to all areas.

Hate using my Email address as log in

[Nyder]

Always thought it was a bad idea. I was helping a buddy of mine get some online game going, and the place (EA Games) wants your email address as your log in ID. But my buddy, is like, "why do they want my email's password?" I try to explain, "They don't. They want you to use your email as your log in info, but make a new password." I'm pretty sure he used the same password as his email password. And honestly, that is way too easy to do like that.

Re:Hate using my Email address as log in

[Minwee]

Always thought it was a bad idea [...] (EA Games)

You were right. Anything to do with EA Games is a bad idea.

Re:Hate using my Email address as log in

[Trepidity]

I agree, but I think they used it because it sweeps under the rug the other problem that usernames traditionally have, that people get frustrated that they can't find a username that's not taken. Your site can spend time building username-suggestion generators to try to help people find an unused one. But email addresses as usernames are guaranteed not to be taken by someone who can't access that email account. Also, it's one less thing the person has to make up on the spot, which means one less potential barrier to them bothering to register.

Re:Hate using my Email address as log in

[Leif_Bloomquist]

This is where services like Mailinator are invaluable. Just create a throwaway email address for each of all these stupid logins.

I take it a step, further, though: I own my own domain and have made it a practice of using a custom email address for each site I need to log in to, i.e. sitename@mydomain.com . This way, each login is unique *and* I can track who is giving out my email address as spam.

Yet the emails all go to one central inbox, so it's not inconvenient to get/search the confirmation messages.

Re:Hate using my Email address as log in

[History's+Coming+To]

They've got very good security - when I tried to contact them regarding something they refused to talk to me because I "gave the wrong date of birth". I used the Data Protection Act (UK) to get all the information they hold on me, and the date of birth was correct. So they wouldn't talk to me even though I had the right details, now that's what I call social engineering secure.

Re:Hate using my Email address as log in

[KhabaLox]

You don't have to create extra email address with Gmail. You can use periods or '+' to create custom email address that still get delivered to your inbox. Then you can set up filters or rules to treat them accordingly. For example, you could sign up with a site with "yourname+sitename@gmail.com" and the email will go to "yourname@gmail.com". So you can track address leaks/sales, or auto-delete/auto-star/auto-file emails from certain sites.

Re:Hate using my Email address as log in

[Cormacus]

Unfortunately a lot of the same sites where you would want to use this kind of information gathering (adding the "+thisSite" to your email address) refuse to validate email addresses with the '+' character. I've run into this in more than a few places.

Re:Hate using my Email address as log in

[Bourdain]

I do the same thing (re: custom email addresses) though since I use gmail to manage the domain, I also use subdomains as well to sort them (i.e., in order of importance of general class of address)

note that the free gmail version using a "+" both exposes your address and doesn't work with a lot of sites whereas subdomains work just fine (if you host a domain w/gmail)

Re:Hate using my Email address as log in

[Eil]

I take it a step, further, though: I own my own domain and have made it a practice of using a custom email address for each site I need to log in to, i.e. sitename@mydomain.com

This is what I liked about using gmail: you can append a +whatever to the username part of the address to let you know when a company sells or misuses your address. The downside is that in 2012, a good 50% of websites still don't understand that "+" is a valid character in an email address.

When I set up my personal email server, I added this line to /etc/postfix/main.cf:

recipient_delimiter = .

Which does the same thing as the gmail "+" delimiter, but is accepted by every website I've come across. (Since firstname.lastname@example.com is a very common address format.)

boring, I can do better

[vlm]

Starwood hotel chain... Dropbox accounts ...

Boring. Next thing you know we'll have a breathless account of how the secret leaked that they have facebook accounts too.

A much more entertaining social hack would be to sign up for "exotic" hard core pr0n services, then change the sock puppet account email address to these famous execs addresses, then "leak" to journalists. Oh, look, a certain well known patent troll has an account on sheeplovers.com and NORML, whoever would have guessed?

Or how about signing up prominent Republicans (Even better, Democrats!) for Pravda and Russia Today and CPUSA type-of accounts.

Re:boring, I can do better

[OzPeter]

Oh, look, a certain well known patent troll has an account on sheeplovers.com and NORML, whoever would have guessed?

NORML? How quaint. In this day and age of witch hunts I would have thought NAMBLA would be a better choice.

Re:boring, I can do better

[icebraining]

Most websites nowadays require you to validate any email address, even if it wasn't the one you used when registering.

Use a virtual email address

[Hillgiant]

Gmail will let you set up virtual email addresses. So you can register as MrBig+Facebook@gmail.com instead of MrBig@gmail.com. All the email still goes to MrBig@gmail.com, but tricks like the one in TFA do not work.

Re:Use a virtual email address

+notation is not a virtual email address. It's good that gmail follows the RFC.

Re:Use a virtual email address

[jader3rd]

Gmail will let you set up virtual email addresses. So you can register as MrBig+Facebook@gmail.com instead of MrBig@gmail.com.

Sadly, I've run into plenty of services which won't let me sign up because they claim that my email address contains invalid characters when my email address contains the '+' character.

Re:A counter to this...?

[KhabaLox]

Well, at the mid-management level, I know that I had accounts on vendor/customer websites (e.g. newegg, Dell, Costco) because I had to do business with them for my job. In some cases, like Newegg, I had my on personal account as well.

I can easily see the need for an account on Dropbox or Twitter or FB or some other service that was tied expressly to your job, and not for you personally. I don't see as much of a case for C level positions, but I guess if you want to easily share files across computers it makes sense.

And re security, if you can't trust your CEO not to steal files, then you have bigger problems.