Yahoo Email Change Doesnt Solve Security Problem

  /     /     /  
Publicated : 22/11/2024   Category : security


Yahoo Email Change Doesnt Solve Security Problem


Yahoos Not My Email button may cut down on misdirected email, but security experts say Yahoos solution doesnt address the underlying security issues.



10 Ways To Fight Email Overload(click image for larger view and for slideshow)
After
InformationWeek
reported on three Yahoo users who began
receiving emails containing personal information
intended for the former account holder -- including bank, wireless and social media account information -- Yahoo announced it would
launch a tool
to return messages that were not intended for users.
The new button, called Not My Email, reportedly will roll out this week and will be found under the Actions tab in users inboxes. The button will help users of recycled accounts train their inboxes to recognize which email is intended for them and which is not, eventually rejecting email before the user has read it.
Although this solution might help current owners of recycled Yahoo accounts combat the influx of misdirected mail, it ignores the underlying security problems, experts said. Emails containing personal information are still reaching users who have taken over a Yahoo email account, and that still poses significant privacy and security problems.
Yahoos button doesnt solve the big problem and I cant believe theyre not taking this more seriously, said
Chester Wisniewski
, senior security advisor at security firm Sophos, in an interview. I dont think they have any intentions of protecting these original account holders. Theyre doing this as a song and dance in front of the press and just to make the new accounts more palatable.
[ Do self-destructing emails sound like a good security practice? Read
This Email Will Self-Destruct: AT&T Seeks Patent
. ]
Wisniewski said that although account holders with a conscience will likely use the button to expedite the process of weeding out misdirected mail, its irrational to think that users with more malicious intent would even consider it. I wonder how many phishers out there are going to click the button to let Yahoo know theyre getting these emails? Im incensed by Yahoos response because its clear theyre trying to placate people, he said.
Yahoo maintains that the number of people receiving others email is minimal and that it takes the security and privacy of its users very seriously.
Mike Davis, CTO at
CounterTack
, a malware detection organization, said that although Yahoos button is a step in the right direction, the company still needs to work on addressing the security threats. Clicking the button just accelerates an unsubscribe process similar to how a company categorizes spam, he said in an interview. Youre going to have problems where the email address was used to authenticate someone, which makes it easy for people to take over accounts or gain access to something they shouldnt. Davis said that right now, Yahoo is banking on its
Require-Recipient-Valid-Since
protocol, a header that senders add to emails to check the age of the account before delivering a message, such as a password reset email. The problem with this, Davis said, is that it asks a lot of the sender. This requires vendors to change the way they do something, and the only way this is going to work is if every vendor out there adds this header or Yahoo comes up with a better solution, he said.
By focusing its solution on the usability of the recycled accounts instead of the security issues still surrounding them, Yahoo is ignoring the bigger problem, said Eva Velasquez, CEO of the
Identity Theft Resource Center
.
As far as helping new account holders avoid the nuisance of spam, [the button] may work, however when it comes to the risk of identity theft, it will make no difference, Velasquez said in an interview. The potential for social engineering is incredible. Access to social network login credentials themselves may not lead to a credit card being opened in the original account holders name, but it can help a nefarious character to obtain the information needed to do so. Once the information has been sent via email, the damage is done. Its just as if you were to receive a tax return for the person who used to live in your house.
Sophos Wisniewski said there were better ways for Yahoo to deal with the problem of dwindling good email addresses. There are ways to get the part before the @ that you want without taking someone elses email address, he said. Wisniewski suggested that Yahoo create a different email suffix, such as @yahoo.ng for new generation, for example.
Velasquez said that Yahoos problem should serve as an example for other businesses. This is just another example of how policies and procedures need to take security into account before new services roll out and not as an afterthought, she said. This is happening across the board as security often takes a back seat to innovation in such a fast-paced market.
CounterTechs Davis said what Yahoo does and how it proceeds will set the tone for other businesses, which will eventually face the same problem. Yahoo is being the pioneer in this. Outlook, Hotmail and others will have to do the same thing, he said. Whatever Yahoo does will become part of a standard way. Theyre falling off their bike and skinning their knees right now. Yahoo wanted to attract more users and have old ones come back, but if they dont address this problem, they wont have people returning.

Last News

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Yahoo Email Change Doesnt Solve Security Problem