Risk
9/26/2013
12:00 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail

Yahoo Email Change Doesn't Solve Security Problem

Yahoo's "Not My Email" button may cut down on misdirected email, but security experts say Yahoo's solution doesn't address the underlying security issues.



10 Ways To Fight Email Overload
10 Ways To Fight Email Overload
(click image for larger view and for slideshow)
After InformationWeek reported on three Yahoo users who began receiving emails containing personal information intended for the former account holder -- including bank, wireless and social media account information -- Yahoo announced it would launch a tool to return messages that were not intended for users.

The new button, called "Not My Email," reportedly will roll out this week and will be found under the "Actions" tab in users' inboxes. The button will help users of recycled accounts train their inboxes to recognize which email is intended for them and which is not, eventually rejecting email before the user has read it.

Although this solution might help current owners of recycled Yahoo accounts combat the influx of misdirected mail, it ignores the underlying security problems, experts said. Emails containing personal information are still reaching users who have taken over a Yahoo email account, and that still poses significant privacy and security problems.

"Yahoo's button doesn't solve the big problem and I can't believe they're not taking this more seriously," said Chester Wisniewski, senior security advisor at security firm Sophos, in an interview. "I don't think they have any intentions of protecting these original account holders. They're doing this as a song and dance in front of the press and just to make the new accounts more palatable."

[ Do self-destructing emails sound like a good security practice? Read This Email Will Self-Destruct: AT&T Seeks Patent. ]

Wisniewski said that although account holders "with a conscience" will likely use the button to expedite the process of weeding out misdirected mail, it's irrational to think that users with more malicious intent would even consider it. "I wonder how many phishers out there are going to click the button to let Yahoo know they're getting these emails? I'm incensed by Yahoo's response because it's clear they're trying to placate people," he said.

Yahoo maintains that the number of people receiving others' email is minimal and that it takes the security and privacy of its users very seriously.

Mike Davis, CTO at CounterTack, a malware detection organization, said that although Yahoo's button is a step in the right direction, the company still needs to work on addressing the security threats. "Clicking the button just accelerates an unsubscribe process similar to how a company categorizes spam," he said in an interview. "You're going to have problems where the email address was used to authenticate someone, which makes it easy for people to take over accounts or gain access to something they shouldn't."

Davis said that right now, Yahoo is banking on its "Require-Recipient-Valid-Since" protocol, a header that senders add to emails to check the age of the account before delivering a message, such as a password reset email. The problem with this, Davis said, is that it asks a lot of the sender. "This requires vendors to change the way they do something, and the only way this is going to work is if every vendor out there adds this header or Yahoo comes up with a better solution," he said.

By focusing its solution on the usability of the recycled accounts instead of the security issues still surrounding them, Yahoo is ignoring the bigger problem, said Eva Velasquez, CEO of the Identity Theft Resource Center.

"As far as helping new account holders avoid the nuisance of spam, [the button] may work, however when it comes to the risk of identity theft, it will make no difference," Velasquez said in an interview. "The potential for social engineering is incredible. Access to social network login credentials themselves may not lead to a credit card being opened in the original account holder's name, but it can help a nefarious character to obtain the information needed to do so. Once the information has been sent via email, the damage is done. It's just as if you were to receive a tax return for the person who used to live in your house."

Sophos' Wisniewski said there were better ways for Yahoo to deal with the problem of dwindling "good" email addresses. "There are ways to get the part before the @ that you want without taking someone else's email address," he said. Wisniewski suggested that Yahoo create a different email suffix, such as @yahoo.ng for "new generation," for example.

Velasquez said that Yahoo's problem should serve as an example for other businesses. "This is just another example of how policies and procedures need to take security into account before new services roll out and not as an afterthought," she said. "This is happening across the board as security often takes a back seat to innovation in such a fast-paced market."

CounterTech's Davis said what Yahoo does and how it proceeds will set the tone for other businesses, which will eventually face the same problem. "Yahoo is being the pioneer in this. Outlook, Hotmail and others will have to do the same thing," he said. "Whatever Yahoo does will become part of a standard way. They're falling off their bike and skinning their knees right now. Yahoo wanted to attract more users and have old ones come back, but if they don't address this problem, they won't have people returning."

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
OtherJimDonahue
50%
50%
OtherJimDonahue,
User Rank: Apprentice
9/26/2013 | 7:11:58 PM
re: Yahoo Email Change Doesn't Solve Security Problem
Recycling email addresses is sheer craziness on Yahoo's part. It was a terrible idea, and this "fix" is a Band-Aid at best.
Halwits
50%
50%
Halwits,
User Rank: Apprentice
9/27/2013 | 6:22:53 AM
re: Yahoo Email Change Doesn't Solve Security Problem
Yes , I agree with you.
ninjacoding
50%
50%
ninjacoding,
User Rank: Apprentice
9/27/2013 | 1:05:27 PM
re: Yahoo Email Change Doesn't Solve Security Problem
These researchers missed important aspect. Companies should take an active measures to ensure proper communication. If users deactives an account it should remain dormant for multiple years. In that time frame companies should at minimum do a yearly check to verify email communication. When that attempt is made the email message if deactived properly should returned an invalid address message and the company systems should deactivate use of that email account.
Instead companies use "do not reply" email accounts which simply dump the return message in to a "null" bin never looking to see if the account is invalid. From personal experience with a cable company, I have change the email address, deleted it as well, called them on it, and still I get mail from them using that old account.
Kristin Burnham
50%
50%
Kristin Burnham,
User Rank: Apprentice
9/27/2013 | 2:04:51 PM
re: Yahoo Email Change Doesn't Solve Security Problem
@ubm_techweb_disqus_sso_-4c5bf4ba8d74c722d28ca4c34a7266ae:disqus Good advice--thanks for sharing!
JMONTAGUE292
50%
50%
JMONTAGUE292,
User Rank: Apprentice
9/27/2013 | 7:39:26 PM
re: Yahoo Email Change Doesn't Solve Security Problem
The FCC makes some radio call signs available for reassignment (FCC's own assignment and in some cases by request). The minimum dormancy period for many, if not all, cases is 2 years after license expiration, license abandonment, or licensee's death (or dissolution of organization).

Given the abundant personal information that flows through email, a reason minimum period of dormancy should be 10+ years.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-8142
Published: 2014-12-20
Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.36, 5.5.x before 5.5.20, and 5.6.x before 5.6.4 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate keys w...

CVE-2013-4440
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 generates weak non-tty passwords, which makes it easier for context-dependent attackers to guess the password via a brute-force attack.

CVE-2013-4442
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 uses weak pseudo generated numbers when /dev/urandom is unavailable, which makes it easier for context-dependent attackers to guess the numbers.

CVE-2013-7401
Published: 2014-12-19
The parse_request function in request.c in c-icap 0.2.x allows remote attackers to cause a denial of service (crash) via a URI without a " " or "?" character in an ICAP request, as demonstrated by use of the OPTIONS method.

CVE-2014-2026
Published: 2014-12-19
Cross-site scripting (XSS) vulnerability in the search functionality in United Planet Intrexx Professional before 5.2 Online Update 0905 and 6.x before 6.0 Online Update 10 allows remote attackers to inject arbitrary web script or HTML via the request parameter.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.