I make a conscious effort not to blog on topics that others have already discussed, unless they impact me directly. So to add to the pile of "FAIL" account resets, which I refuse to call "hacks," I have another one to add.
Yesterday, I tried to login to an online software stores but I couldn't remember the password. Not a problem I clicked the "forgot password" link. I get to the part that allows me to write a message explaining the problem. I write them that I can't remember the password for the account and that the email address on file isn't valid, since I have switched ISP's. I give them my new email address and ask nicely that they update it so I can reset my password. The new email address has the same name as the old address but with a different domain.
Well I get an email today that they updated my account, changed my email address (which is also the login) and set a temporary password. WTF?
Let me go over this again slowly. I email the company and say my email address on file is old. I give them a new email address. They reset the account and send me the temp password? No verification, no last 4 digits of my social, no secret question, nothing.
Now true once logged in someone would still need to pay for the software ordered. But, what if I had an open line of credit? In my case I get academic pricing so you get Windows for $200 I get it for $5. That would be worth creating a fake free email account and trying to get access?
Anyways not sure this fits the "EPIC FAIL" but I've always wanted to write that. Something I have taken away from all of this is I am now checking all my important online accounts to see what the "forgot password" procedure is and contacting those with weak challenges and verification. I guess my first stop will be my software store.
I would liket to know if anyone else has tried to see how easy it is to "reset" their own personal accounts? Post in the comments if you have any tips on improving the "forgot password" procedure.
Tuesday, October 7, 2008
blog comments powered by Disqus
