5x12 pentomino tiling
«

My name is Niru Jami

»

I made a discovery today which gave me pause for thought and should do the same for you. When you sign up on a web site like Amazon or Photobox your username is typically your email address. People sometimes forget their passwords so if that happens you can usually give the site your email address and they then mail you your password.

Fair enough, you might think, that sounds fairly secure1. But here's the rub. Suppose that you have an email address and then you give it up.

To give you an example Mr Niru Jami2 of 5 Channing Road, Letchworth Garden City, Herts, SG6 7QJ used to own the domain jami.org.uk and he used the email address but when he gave up the domain he didn't delete all his accounts with web sites.

I bought that domain for my nephew as a birthday present a year and a half ago and we still occasionally get mail to so I have an auto-responder that sends an "Unsubscribe" email to anyone who emails that email address. Photobox ignores these emails and while looking at this today I managed to log into Mr Jami's account at Photobox. There I discovered his address and his home phone number. Luckily for him he didn't give Photobox his date of birth or I would have access to his Equifax account too now as I know he had an account there too and they are sensible and demand forename, surname, and date of birth before sending out a new password.

I wonder where else he had an account? I know he had a Homebase account as I cancelled the subscription to that as long while ago. Ditto GreenBee.

It turns out he didn't have an Amazon account, which is lucky really because if he did I could have ordered something expensive on his credit card and had it delivered to the address of my choice.

It's all a bit scary really.

Anyway, the bottom line is that if you give up your email address (and this applies as much to addresses at the likes of Gmail as it does to vanity domains) then because of this habit of web sites of happily giving out passwords to anyone who can read the address it's vital that before you give up the address you close all accounts associated with it.

  1. It still means your password is going across the Net in an unencrypted email, but people seem willing to live with that. I'm not entirely convinced myself.
  2. When I originally wrote this article I used Mr Jami's real name and address (as these would be in the public domain anyway - on the electoral roll for example) but in March 2011 he found this article via a Web search and he asked me to remove his details so the address here is fake and Mr Jami's first name isn't Niru, but the rest of this tale is entirely true: I did have his name, address, and home phone number by that stage and access to his Photobox account.

Tags: websites Written 06/11/10

Comment on this article

«
You can follow these posts on Twitter at @Wibblings
»
I am currently reading:

Faster, Higher, Farther by Jack Ewing The World of Mr Mulliner by PG Wodehouse

(?)
Word of the Day:
chronotype