PDA

View Full Version : Investigation Report: Yahoo account-locked password reset issue


bowbow
09-15-2006, 09:21 PM
Goto the following link for details:
http://www.tecross.com/blog/2006/09/15/tecross-investigation-report-yahoo-account-locked-password-reset-issue

But following are some of the highlights:
View of the issue in an unbiased manner:

1. It is okay for Yahoo to use date of birth for identifying their customers, but the problem is that not everyone had used their actual date of birth for registration. Since childhood we are primed not to give out SSN and date of birth to anyone. To confirm this theory, we had personally contacted some of yahoo’s customers who had opened their accounts at least 4 or more years back. Guess what, most of them had used fake birthdays and none of them remembers it anymore. People who have opened their account in recent years appear to have used their actual birthdays – we believe this is due to the popularity of the Yahoo’s brand name in recent years.
2. To make matters worse, one cannot see the birthday on file under yahoo user’s profile page. Yahoo does not display the date of birth for security reasons, which makes sense but at the same time numerous consumers (who had used fake birthdays) are literally like sitting ducks waiting to lose their data.

Desired Outcomes:

Now that we have dissected the problem, let’s discuss the desired outcome from Yahoo for this issue:

1. Try to help the victims to regain their account access even if they don’t remember their fake birthdays. We believe the root cause for this problem is the lack of clarity from yahoo on the importance of the birthday field during the registration process. Most of the victims are willing to give other forms of ID such as license, credit card, etc.
2. Block all access to the Yahoo ID as soon as someone reports that his/her account has been phished.
3. If a user wants to cancel his or her account, then grant that wish as soon as possible. One of the complaints was Yahoo does not respond to requests to cancel accounts. As mentioned earlier, every moment Yahoo delays in resolving the issue, they are putting the victim’s social network in jeopardy and at arms-away-length from the hackers/phishers.
4. Notify all their existing customers about the importance of their date of birth on file, and also have a plan for those customers who does not remember their fake birthdays. These customers are like sitting ducks waiting to lose their data.