BLOG

Linking identities to email addresses

As I predicted yesterday, a bunch of sites have popped up where you can input email addresses and find out if the address was part of the Ashley Madison hack. My spam trap address isn’t on it, which makes me wonder if unsubscribe data was kept elsewhere or if they just never bothered to save the requests.
One of the things I’m seeing in most articles about the hack is reassurance that Ashley Madison doesn’t verify addresses, so the accounts may not belong to the email address in question. We can’t say that the email address owner is the cheater, because Ashley Madison didn’t care who owned the email address.
The warnings have been published in security blogs.

Ashley Madison didn’t do any kind of email / ownership verification for new accounts.
Provide a fake email to Ashley Madison, get started with all free features immediately.
Yes, the really quick way to build a user base; a minimum of effort needed to get started. Graham Cluey, July 2015 (emphasis original)

The warnings have been published on television news sites.

It’s also important to note that Ashley Madison users aren’t required to verify their email addresses, meaning some found in the dump may have been hijacked by Ashley Madison users seeking to keep their own email addresses off their accounts. ABC News

Even financial reporting sites are mentioning the unverified email addresses.

Several reporters and security researchers have said the data dump appears legitimate, but, to be sure, that doesn’t mean the emails are. AshleyMadison.com doesn’t verify users’ email addresses after they sign up, which means people can make up fake emails or use the addresses of others when creating accounts. Marketwatch

In this case, some email address owners, whether or not they created the account at Ashley Madison may face repercussions in real life. Folks who are already in rocky relationships and now have to explain why their email address shows up in the data dump. Some articles suggest military members may face problems because of their information in the data dump. Had Ashley Madison take some step, any step, to confirm the addresses belonged to the recipients that would not be as big a concern. But they chose not to do any email verification. Even worse, people who wanted to clear up the accounts were asked to pay money to remove the account from the database.
Email addresses are becoming more and more important identifiers of our online identity. Almost everything we do, particularly in terms of commerce, online is tied to an email address. Too few companies actually verify that email address belongs to the person that submitted it. Companies resist verification. They want the easy signup and the fast accumulation of “users.” Verification creates friction. It also creates overhead and process. It leads to unconfirmed email addresses in the database just sitting there doing nothing. Organizations don’t want to verify email addresses because it’s hard to do and relies on the recipient taking some action. 
This can lead to problems for the recipients, but it can also lead to problems for the organizations. At least half of my consulting clients come to me with delivery problems that can be traced back to them not doing any address verification. They don’t make sure the address belongs to the person who gave it to them and they get bad data on their lists and them they get blocked or put on the SBL for spamming.
I’m sure someone is going to tell me that there are a half dozen or so “address verification companies” that help with this issue. Except they don’t do anything to the address the problem of someone giving an email address that doesn’t belong to them. Nothing any of the verification services do connects the email address to the person who submitted it. They just test to see if an address is deliverable. Many of my clients are using address verification to “clean” their lists and are still seeing SBL listings and other delivery problems. 
Failure to verify email addresses leads to problems for the organizations collecting addresses. We’ve now seen it can lead to problems for the people who have their addresses forged. It’s beyond time for organizations to step up and treat address verification, real address verification, as a vital part of their signup process.
 

1 comment

  1. G B says

    Ironically, not verifying emails actually allows some more-or-less plausible deniability to some. unintended consequences and a poor defence, but had there been COI procedures, they would be much harder to deny.
    also, email verification is indeed partially a problem. conversion funnels are rife with locations to genuinely lose users and email registration is one of them. The anti-spam concerns of the email industry cannot be the sole consideration a product manager will take when designing a service registration process (but the head count shouldn’t be the only one, too)

Comment:

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.