How I Steal Social Security Numbers (or, How NOT to do Website Security)

TL;DR: Be real careful about typing in your email address when you sign up for new things, folks.

There are a lot of people who think that my email address is their email address. Usually this is just annoying, but sometimes I realize what a terrible power this would be in the wrong hands, since so many websites have really terrible security.

I was a gmail early adopter, so I have a personal email account (that now is mostly used for shopping) with a really basic username. In the 13 years I’ve had this account, I’ve gotten an insane (and increasing) number of emails not intended for me — and they’re clearly not all the same person. There’s someone who was getting married a few years ago who signed up for a bunch of email lists at a bridal show. Someone got their scuba diving certification (and never received their certificate). Someone’s child keeps sending me requests to approve their memberships to online sites (which is the only reason I know what Club Penguin is). A few months ago, a couple was trying to buy a house, and I got urgent emails from their realtor with their application forms attached. I’ve gotten pieces of tax returns. I’ve gotten facetime requests from tween girls who then texted me videos. I’ve gotten invited to family gatherings and told that it’s my job to bring the dessert. I’ve been receiving someone’s receipts for their sanitation service for about ten years. I am on so many mailing lists for stores I would never shop in. I’ve been signed up for dozens of online dating sites. (And no, this is not my friends lamenting that I’m single — there are some weird dating sites out there, you guys.)

When this happens, the first thing I do is check for a “is this not your email?” link somewhere. These are pretty rare. Then I look for an unsubscribe button, if it’s a mailing list. And if there isn’t an unsubscribe button (which is usually the case for dating sites, for example), all I can do is try to log into the account and disconnect the email… so that my inbox isn’t flooded with “winks” or “pokes” or whatever for a forty-six year old woman in Germany who is looking for men ages thirty-five to fifty.

Usually then I can change the email address to something random or just delete the account. Once I was feeling particularly annoyed, and edited the dating profile to say “Hi, I don’t know my own email address.” But you might be wondering — wait, how do you get into these lonely hearts’ accounts? You don’t know their passwords!

Have you ever forgotten your password? Maybe had to reset it? How does that work, usually? Most common is… you type in your email address and then it emails you a password reset link or a temporary password. Voila! With my very own email, I can go in and change the password to “idontknowmypassword” or something and then log into the account.

Now of course this doesn’t always work. Sometimes websites have decent security measures in place to keep this from happening! For a couple of weeks I was receiving Harriet’s Experian credit score reports. (For the record, Harriet is doing pretty well, as I kept getting notifications that her score was going up; I think she was paying off credit cards.) I tried to log in on the account, and when I didn’t know the password it asked for my date of birth. Wow, what a great idea! Of course, once I got to that point there was no way for me to get to their help desk without signing in, and no customer support email address, so I ended up direct messaging them on Twitter. (They fixed it. No more emails for Harriet.)

You might think that this is great that sites with more important information (like credit scores!) have better security than dating sites. And for the most part I haven’t gotten access to a lot of personal information — usually just an address or info about what kind of shoes they buy. But yesterday I hit the jackpot!

Seventeen-year-old Madison is applying for a job at Burger King. Well, she was, at least, but she didn’t finish her online application. So the job search site helpfully emailed her a reminder that she needed to finish it! Unfortunately, that email came to me and not Madison. As is typical, I ignored the first email, but after the second one, sighed heavily and went into my usual routine. There was obviously no verification process that this was her email. There was also no “this is not my account” button. So I clicked on the link for the site, went to the login page, and clicked “forgot password?” I typed in my email, and two minutes later, got this helpful one in return.

password reset email! no identity verification required!

So I clicked on “Set Password,” changed it, and then logged into the account. Sure, I could have contacted customer service instead (there’s a form), but I assumed this would be faster and I was sick of Burger King emails. Besides, I wasn’t expecting to get to her account and find this:

a user profile that includes tons of personal information (redacted, of course, because I’m not a monster)

So this is how I know that Madison is seventeen years old. I also know where she lives, her phone number, and her social security number. Seriously?!

As with Experian, I’m sure that the site will apologize and disconnect my email. But this time, gosh, I guess it’s a good thing I’m not an identity thief who wants to take out a bunch of credit cards in the name of a poor unsuspecting teenager.

And the infuriating thing is, this is so simple to fix. Send an email verification when they sign up. (Lots of sites do this, good for them!) Require additional information when you reset a password. Or something, anything, that doesn’t give someone complete access to an account just because a user might have made a typo when they entered their email address. This is the takeaway for website developers. Seriously. Think about use cases. Think about things people do wrong. I’m an HCI researcher; I can tell you, people do stuff wrong.

And for everyone else, the takeaway is: Be careful when you type in your email address, just in case. But especially if it’s a site that you’re providing sensitive information to! After all, you might actually typo into an identity thief instead of a helpful professor who likes to rant about poor usability and security practices.