Risk
9/26/2013
12:00 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Yahoo Email Change Doesn't Solve Security Problem

Yahoo's "Not My Email" button may cut down on misdirected email, but security experts say Yahoo's solution doesn't address the underlying security issues.

Davis said that right now, Yahoo is banking on its "Require-Recipient-Valid-Since" protocol, a header that senders add to emails to check the age of the account before delivering a message, such as a password reset email. The problem with this, Davis said, is that it asks a lot of the sender. "This requires vendors to change the way they do something, and the only way this is going to work is if every vendor out there adds this header or Yahoo comes up with a better solution," he said.

By focusing its solution on the usability of the recycled accounts instead of the security issues still surrounding them, Yahoo is ignoring the bigger problem, said Eva Velasquez, CEO of the Identity Theft Resource Center.

"As far as helping new account holders avoid the nuisance of spam, [the button] may work, however when it comes to the risk of identity theft, it will make no difference," Velasquez said in an interview. "The potential for social engineering is incredible. Access to social network login credentials themselves may not lead to a credit card being opened in the original account holder's name, but it can help a nefarious character to obtain the information needed to do so. Once the information has been sent via email, the damage is done. It's just as if you were to receive a tax return for the person who used to live in your house."

Sophos' Wisniewski said there were better ways for Yahoo to deal with the problem of dwindling "good" email addresses. "There are ways to get the part before the @ that you want without taking someone else's email address," he said. Wisniewski suggested that Yahoo create a different email suffix, such as @yahoo.ng for "new generation," for example.

Velasquez said that Yahoo's problem should serve as an example for other businesses. "This is just another example of how policies and procedures need to take security into account before new services roll out and not as an afterthought," she said. "This is happening across the board as security often takes a back seat to innovation in such a fast-paced market."

CounterTech's Davis said what Yahoo does and how it proceeds will set the tone for other businesses, which will eventually face the same problem. "Yahoo is being the pioneer in this. Outlook, Hotmail and others will have to do the same thing," he said. "Whatever Yahoo does will become part of a standard way. They're falling off their bike and skinning their knees right now. Yahoo wanted to attract more users and have old ones come back, but if they don't address this problem, they won't have people returning."

Previous
2 of 2
Next
Comment  | 
Print  | 
More Insights
White Papers
More White Papers
Comments
Newest First  |  Oldest First  |  Threaded View
JMONTAGUE292
50%
50%
JMONTAGUE292,
User Rank: Apprentice
9/27/2013 | 7:39:26 PM
re: Yahoo Email Change Doesn't Solve Security Problem
The FCC makes some radio call signs available for reassignment (FCC's own assignment and in some cases by request). The minimum dormancy period for many, if not all, cases is 2 years after license expiration, license abandonment, or licensee's death (or dissolution of organization).

Given the abundant personal information that flows through email, a reason minimum period of dormancy should be 10+ years.
Kristin Burnham
50%
50%
Kristin Burnham,
User Rank: Apprentice
9/27/2013 | 2:04:51 PM
re: Yahoo Email Change Doesn't Solve Security Problem
@ubm_techweb_disqus_sso_-4c5bf4ba8d74c722d28ca4c34a7266ae:disqus Good advice--thanks for sharing!
ninjacoding
50%
50%
ninjacoding,
User Rank: Apprentice
9/27/2013 | 1:05:27 PM
re: Yahoo Email Change Doesn't Solve Security Problem
These researchers missed important aspect. Companies should take an active measures to ensure proper communication. If users deactives an account it should remain dormant for multiple years. In that time frame companies should at minimum do a yearly check to verify email communication. When that attempt is made the email message if deactived properly should returned an invalid address message and the company systems should deactivate use of that email account.
Instead companies use "do not reply" email accounts which simply dump the return message in to a "null" bin never looking to see if the account is invalid. From personal experience with a cable company, I have change the email address, deleted it as well, called them on it, and still I get mail from them using that old account.
Halwits
50%
50%
Halwits,
User Rank: Apprentice
9/27/2013 | 6:22:53 AM
re: Yahoo Email Change Doesn't Solve Security Problem
Yes , I agree with you.
OtherJimDonahue
50%
50%
OtherJimDonahue,
User Rank: Apprentice
9/26/2013 | 7:11:58 PM
re: Yahoo Email Change Doesn't Solve Security Problem
Recycling email addresses is sheer craziness on Yahoo's part. It was a terrible idea, and this "fix" is a Band-Aid at best.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-8370
Published: 2015-01-29
VMware Workstation 10.x before 10.0.5, VMware Player 6.x before 6.0.5, VMware Fusion 6.x before 6.0.5, and VMware ESXi 5.0 through 5.5 allow host OS users to gain host OS privileges or cause a denial of service (arbitrary write to a file) by modifying a configuration file.

CVE-2015-0236
Published: 2015-01-29
libvirt before 1.2.12 allow remote authenticated users to obtain the VNC password by using the VIR_DOMAIN_XML_SECURE flag with a crafted (1) snapshot to the virDomainSnapshotGetXMLDesc interface or (2) image to the virDomainSaveImageGetXMLDesc interface.

CVE-2015-1043
Published: 2015-01-29
The Host Guest File System (HGFS) in VMware Workstation 10.x before 10.0.5, VMware Player 6.x before 6.0.5, and VMware Fusion 6.x before 6.0.5 and 7.x before 7.0.1 allows guest OS users to cause a guest OS denial of service via unspecified vectors.

CVE-2015-1044
Published: 2015-01-29
vmware-authd (aka the Authorization process) in VMware Workstation 10.x before 10.0.5, VMware Player 6.x before 6.0.5, and VMware ESXi 5.0 through 5.5 allows attackers to cause a host OS denial of service via unspecified vectors.

CVE-2015-1422
Published: 2015-01-29
Multiple cross-site scripting (XSS) vulnerabilities in Gecko CMS 2.2 and 2.3 allow remote attackers to inject arbitrary web script or HTML via the (1) horder[], (2) jak_catid, (3) jak_content, (4) jak_css, (5) jak_delete_log[], (6) jak_email, (7) jak_extfile, (8) jak_file, (9) jak_hookshow[], (10) j...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
If you’re a security professional, you’ve probably been asked many questions about the December attack on Sony. On Jan. 21 at 1pm eastern, you can join a special, one-hour Dark Reading Radio discussion devoted to the Sony hack and the issues that may arise from it.