So, my roommate and I recently switched to Comcast, and he was issued an email address @comcast consisting of the first letter of his first name and his entire last name.
He logged in today and discovered the inbox already contains email (and spam) from the previous owner (whose name was Carol. His name is Chris). Some of this email is from places she apparently shopped at, and if Chris was a Bad Person, it wouldn’t take much effort to go to those shopping websites, claim that “she” lost “her” password, and BINGO! He can go on a shopping spree on her dime. (Fortunately for her, he’s not a Bad Person, and would never do this.)
Does this seem wrong to you?
Someone needs to inform Comcast, and/or people who use Comcast, of the potential security holes inherent in re-issuing their customers’ email addresses.
So…
Dear Comcast:
Please stop re-issuing your customers’ usernames. It results in irresponsible mis-use of personal information. You are effectively giving someone’s old email address (and all correspondences going to it) to someone else, which could result in the misuse of their credit cards or other personal information.
Next:
Dear Comcast subscribers:
Don’t ever use your Comcast-issued email address. Ever. It is not secure, and any correspondences to or from this email address can be read by whoever Comcast decides to give that email address to next.
Luckily, I’ve never used my Comcast email address back when I subscribed.
So, come on kids. Who’s at fault here? and what steps do you think should be made to protect people from fraud in this kind of situation?
My thoughts:
It’s very easy to blame the subscriber for being ignorant of email’s insecurity. However, I don’t think this is fair because the average internet and computer user has great Big Misconceptions about How Stuff Works (it’s a series of tubes?), and there simply isn’t an effective way to educate them all.
So until everyone magically learns how to be more responsible, I think big, well-funded corporations like Comcast should take it upon themselves to make sure their customers are informed of the risks associated with using their services.
(Dude, someone digg this or something. Jeebus. People need to know about this.)
7 Comments
Hawaii Community College gave me an e-mail address davidv@blahblah. It was already full of spam as soon as I got it. I didn’t consider that it might have been a previous davidv’s address being reused. Instead I concluded that the spammers were brute-force mailing all combinations of first name-last initial that they could pull out of a book of names. I’m not sure which situation is worse.
Did my comment get lost? Or are you screening them…?
Hey Rio, if you’ve been here before, and use the same info, you get auto-approved.
if not, I manually approve.
You should be fine now.
Comcast requires at least a 90 day waiting period before any email address can be reregistered. At least that’s a start.
They could probably wait longer, like 6 months, but that still wouldn’t solve the issue. I think if they didn’t recycle email addresses at all, it would be pretty tiresome trying to come up with a halfway decent or professional looking email address.
Most online vendors I shop with require you to verify personal information such as last four of credit card number, last four of SSN, birthday, or a predefined question/answer pair in order to either specify a new password, or to have a randomly generated password mailed to you.
I’m sure there are some that just email a new password to the email account thinking only the owner would have access, and that in its self is a pretty big risk, even if Comcast wasn’t recycling addresses. If someone I knew had a hotmail account or something, and it only required a city of birth and birthday in order to change the account password, then I could gain access to the email account.
I just think online merchants should take every precaution to protect the personally identifiable information of their customers. It’s secure for the vendor to not give the option to specify a password, but they should consider that if one could gain unauthorized access to the email account, they’ve left the door wide open to abuse of their online store.
That said, I agree that corporations providing services such as internet connectivity should take a proactive approach to education of their customer base; but I don’t think it’s Comcast’s sole responsibility. Vendors such as Amazon should be doing the same thing. You know? An ISP shouldn’t rely on a vendor for security, and the vendor shouldn’t assume the email account is secure.
The whole thing just needs some checks and balances.
Hey Travis, I think you’re absolutely right that the whole system is flawed.
i didn’t know that comcast required a 90 day waiting period before email addresses get re-registered.
I’m sure that most intelligent and established online stores are probably pretty smart about this sort of thing. I’ve also not shopped somewhere that did not confirm my information in some step of the process (except amazon.com… they store my credit cards, so if anyone got access to my amazon.com account, I’d be pretty screwed).
thats really not the problem
the really big problem is sending an employer a resume
and when they respond (if the email is business related)
you won’t even get the mail because your email is residential.
it’s not a business class email address,
therefore it looks like comcast IS screening all of your messages.BECAUSE THEY DONT WANT YOU MAKING A RESIDENTIAL EMAIL ADDRESS A BUSINESS EMAIL ADDRESS!!!
I went to digg this and someone (not surprisingly) had beaten me to it… so I dugg the story, but it seems that nobody cares, they’re more concerned about Comcast’s moving target bandwidth caps… :-/ meh! I tried to help.
Post a Comment