Thursday, May 26, 2005

Why email addresses shouldn't be login names...

Excel-web sharing of spreadsheetsThe following news blurb highlights another   reason publicly accessible web sites should allow users to login using a personally chosen handle, not an email address. The first reason, of course, is simple portability: what happens when the user's email address changes?

This technique, as described by, is exploited by phishers who profile users by running their email addresses against the large number of web sites that authenticate users via email address, not randomly chosen handle.

The term for this attack? Hostile profiling.

In the technique described in the report, spammers and phishers automatically run thousands of e-mail addresses through Web site registration and password-reminder tools. Because many online businesses return a specific message when an e-mail address is registered with the site, attackers can find out whether that address represents a valid customer...

...By matching e-mail addresses with Web sites, cybercriminals can uncover the gender, sexual preference, political orientation, geographic location, hobbies and the online stores that have been used by the person behind an e-mail address... Phishers get personal

No comments: