Yahoo Email Change Doesn't Solve Security ProblemYahoo's "Not My Email" button may cut down on misdirected email, but security experts say Yahoo's solution doesn't address the underlying security issues.
Davis said that right now, Yahoo is banking on its "Require-Recipient-Valid-Since" protocol, a header that senders add to emails to check the age of the account before delivering a message, such as a password reset email. The problem with this, Davis said, is that it asks a lot of the sender. "This requires vendors to change the way they do something, and the only way this is going to work is if every vendor out there adds this header or Yahoo comes up with a better solution," he said.
By focusing its solution on the usability of the recycled accounts instead of the security issues still surrounding them, Yahoo is ignoring the bigger problem, said Eva Velasquez, CEO of the Identity Theft Resource Center.
"As far as helping new account holders avoid the nuisance of spam, [the button] may work, however when it comes to the risk of identity theft, it will make no difference," Velasquez said in an interview. "The potential for social engineering is incredible. Access to social network login credentials themselves may not lead to a credit card being opened in the original account holder's name, but it can help a nefarious character to obtain the information needed to do so. Once the information has been sent via email, the damage is done. It's just as if you were to receive a tax return for the person who used to live in your house."
Sophos' Wisniewski said there were better ways for Yahoo to deal with the problem of dwindling "good" email addresses. "There are ways to get the part before the @ that you want without taking someone else's email address," he said. Wisniewski suggested that Yahoo create a different email suffix, such as @yahoo.ng for "new generation," for example.
Velasquez said that Yahoo's problem should serve as an example for other businesses. "This is just another example of how policies and procedures need to take security into account before new services roll out and not as an afterthought," she said. "This is happening across the board as security often takes a back seat to innovation in such a fast-paced market."
CounterTech's Davis said what Yahoo does and how it proceeds will set the tone for other businesses, which will eventually face the same problem. "Yahoo is being the pioneer in this. Outlook, Hotmail and others will have to do the same thing," he said. "Whatever Yahoo does will become part of a standard way. They're falling off their bike and skinning their knees right now. Yahoo wanted to attract more users and have old ones come back, but if they don't address this problem, they won't have people returning."
2 of 2