Yahoo's recent decision to re-assign
inactive accounts is drawing concern from security experts who worry
that the system could be abused by cybercriminals.
The company said last week that it would
be taking accounts which have not been accessed for more than one year
and allowing users to re-register the name with new accounts. Users will
have until 15 July to log into their inactive accounts in order to
avoid losing them.
Yahoo said that the aim of the move was
to free up old usernames and allow users to shorten and simplify the
addresses they want to register.
According to security experts, however,
the decision is dangerous and could put a large number of users at risk
of attack. Scott Hazdra, principal security consultant with consulting
firm Neohapsis, said that the unused accounts could be leveraged by an
attacker to perform any number of social engineering tricks.
“Those quick on the draw will be able to grab accounts like they would freed-up vanity licence plates,” he explained.
“There will definitely be instances
where those secondary accounts will receive notices that a password is
about to expire or has been changed, that a balance is low, that someone
has pushed this message to your account, that someone has tried to log
into your account, and on and on – and that could present a major
problem.”
Additionally, Hazdra believes that
Yahoo's quick turnaround period will not leave many users who otherwise
want to keep their accounts with enough time to reclaim their addresses.
He suggests that the company opt to extend the verification period
signficantly.
“Yahoo plans to send out notices
and bounce back emails that the accounts no longer exist, but doing that
for just 30 days is not long enough,” he said.
“If Yahoo is intent on re-issuing
these accounts, they should keep them inactive for at least six months
to allow that process to pay out and to provide the original account
owner a chance to take action.”
No comments:
Post a Comment