Login Security

Pescur

I have a concern about security on a website that I must use, I will not name them at this stage for obvious reasons.

They have replaced the conventional login of Username and password to just your email address.

My concerns are: 

1. My email address is in the public domain
2. Email does not use adequately secure protocols
3. Email accounts are easy to hack into.

When you enter your email address they email you a link to their website which now gives access to confidential information.

I am all for two factor authentication in addition to login;  sending a message when someone has logged in or tried and failed to log in, but they seem to have delegated their security to that of the email provider, but I do not think it is enough to just provide an email address.

So now if my email account is hacked and the hackers trawl my account for useful information for ID theft or whatever, they will come across one of the login emails of this company, go to their website, key in the email address and await the email with the login URL.

Just about every email provider has been hacked, not just for a handful of accounts, we are talking billions of accounts hacked.  So I feel that is is not adequate.

I raised my concerns with the company who just became defensive and did not see the problem.

Well the problem for me is that with a password only I know the password, the company may define the criteria for my password but it would hopefully be stored as an encrypted string, what I can do is generate a secure password such as U0l!V7Gxo5tVnMTP!a7a!$.   But on a wider position, the request for a password shows the person logging in knows something to confirm who they are, something that is not in the public domain or accessible easily.

As this is a large regulated company, my feeling is to report it to the ICO as customers should have their data protected properly.

I would be interested to know is any security techs out there think my concerns are valid, I have seen this system used on websites that are not really that important and as I did not anticipate returning  to those sites I did not worry about it as they hold nothing secure.

dan958

Pescur said:

I
So now if my email account is hacked and the hackers trawl my account for useful information for ID theft or whatever, they will come across one of the login emails of this company, go to their website, key in the email address and await the email with the login URL.

This is the same for majority of servies that you sign up for. Even if the 'hacker' doesnt know your username, a forgotten password will generally give this information over. This is why actual 2fa is good to set-up (like google 2fa, if the site supports it). It doesnt make a difference here if the username is your email address or something random.  Websites that have non-email usernames, also generally have a 'I've forgotten my username', although I dont often see sites that dont use email addresses to sign in. Most sites also let you sign in via username and/or email (this forum for example)

Pescur said:

I
the company may define the criteria for my password but it would hopefully be stored as an encrypted string

I also wouldnt rely on this. Plenty of providers may not encrypt your data. Logging on with an email address is pretty normal, and does not make it 'in the public domain', unless the website actually shows it to other users. Normally privacy settings can change this.

Pescur said:

I
But on a wider position, the request for a password shows the person logging in knows something to confirm who they are, something that is not in the public domain or accessible easily.

I've tried reading this a few times, but I just don't know what you mean.

Another company is not responsible for your email being hacked (and no, I am not aware that all email providers have had large scale data breaches that exposed all passwords, unless by 'hacked' you mean someone just brute forcing an easy password). They just need (but are not required to) offer ways of you protecting your account, through things such as 2fa.

A username isnt really the thing designed for protecting your account, it is mainly used as the unique identifier for each account (but someone not knowing your username does help security, as it can help stop/slow down brute force attempts)

JJ_Egan

Loads on  haveibeenpawned web sites .

50% of my email address show as on known data hack.

OP can you log in then change log in on this site ,

dan958

JJ_Egan said:

Loads on  haveibeenpawned web sites .

50% of my email address show as on known data hack.

OP can you log in then change log in on this site ,

You will find that you have been in many known data breaches by using haveibeenpawned (kickstarter, linkedin, adobe, the list goes on), but that doesnt mean your email address was hacked, just your email address was found in a known data breach on another website (it will say what databreach on haveibeenpawned). It also doesn't mean that your password was leaked, just some your data. This is why it is good practise to use 2fa and different passwords for every site (look into using a password manager)

forgotmyname

Browser storing the password, but you cleared the autofill for the username/email? 
Once you type the user/email the browser thinks i have the password for that and autofills it?

Pescur

dan958 said:

Pescur said:

I
So now if my email account is hacked and the hackers trawl my account for useful information for ID theft or whatever, they will come across one of the login emails of this company, go to their website, key in the email address and await the email with the login URL.

This is the same for majority of servies that you sign up for. Even if the 'hacker' doesnt know your username, a forgotten password will generally give this information over. This is why actual 2fa is good to set-up (like google 2fa, if the site supports it). It doesnt make a difference here if the username is your email address or something random.  Websites that have non-email usernames, also generally have a 'I've forgotten my username', although I dont often see sites that dont use email addresses to sign in. Most sites also let you sign in via username and/or email (this forum for example)

Pescur said:

I
the company may define the criteria for my password but it would hopefully be stored as an encrypted string

I also wouldnt rely on this. Plenty of providers may not encrypt your data. Logging on with an email address is pretty normal, and does not make it 'in the public domain', unless the website actually shows it to other users. Normally privacy settings can change this.

Pescur said:

I
But on a wider position, the request for a password shows the person logging in knows something to confirm who they are, something that is not in the public domain or accessible easily.

I've tried reading this a few times, but I just don't know what you mean.

Another company is not responsible for your email being hacked (and no, I am not aware that all email providers have had large scale data breaches that exposed all passwords, unless by 'hacked' you mean someone just brute forcing an easy password). They just need (but are not required to) offer ways of you protecting your account, through things such as 2fa.

A username isnt really the thing designed for protecting your account, it is mainly used as the unique identifier for each account (but someone not knowing your username does help security, as it can help stop/slow down brute force attempts)

I am sorry if I was not clear enough for you

So if you access this site you create a username and set a password, a normal feature of any website.  As part of the account creation process they verify your email, so all good and this site does not even need huge security because one imagines the only information people would want to keep secure is their email address.

Now imagine you accessed say the home banking website of your bank, but they did not take your account number, or customer number or password and only asked for your email address.

So you enter your email address and they send to your email a link 

You click on that link and you have full access to your home banking.

My concern is that the site has not established adequately that it is me trying to login, no password, no security device where I insert my debit card, not even a customer number.

So for them, if you can access your email that is enough, yet email systems are the weakest systems.

Yahoo Oath is currently trying to settle a class action for billions of Yahoo accounts that were hacked and every online email provider has been hacked.

Email is not a secure protocol, emails are transmitted un-encrypted for most people from server to client including web client, so the hyperlink they send can be intercepted.   

Email accounts are the easiest of systems to hack, for example I know a law firm that was hacked and lost client money, it started with the solicitor using an insecure means to access his work email from home.  The hacker was able to read the emails and find a client who had a relative recently die and the Solicitor was handling the will etc.

The emails included all the details of the beneficiaries of the estate, the hacker then hacked into the email accounts of most of the beneficiaries and pretended to be them, sending messages to the Solicitor telling them to pay their inheritance into mule accounts, due to the incompetence of the solicitor they managed to get over £50,000.

What this company seems to have done is to delegate their security to your email provider, despite not knowing who your provider is.

They have taken away the the part of access control that check you know something that others do not know (a password), they have not added any other security, you literally enter your email address, await their email with the link, click on the link and you are in.

It is a hackers dream!

Pescur

forgotmyname said:

Browser storing the password, but you cleared the autofill for the username/email? 
Once you type the user/email the browser thinks i have the password for that and autofills it?

On this companies login process there is no username nor is there a password,
You just enter your email address
They send a link
You click on the link 
and you have full access
So if your email account is hacked they are in.
As email accounts are some of the most vulnerable platforms it is grossly incompetent to use this system

mksysb

Presumably your email has a password so that is the password being used.  You have to make that secure with 2FA.  This is no different to if you forgot your password, a link to reset it would be sent to your email account. 

Think you are making much too much of this.

debitcardmayhem

Don't be a drama queen  

   "What this company seems to have done is to delegate their security to your email provider, despite not knowing who your provider is.

They have taken away the the part of access control that check you know something that others do not know (a password), they have not added any other security, you literally enter your email address, await their email with the link, click on the link and you are in.

It is a hackers dream!"

You don't use your real email address password, "this company" stores your password on their servers, not your email providers. Mind you if you enter the same password on both more fool you. Do you realise that my id debitcardmayhem is stored alongside the password on the MSE servers , as is my email address  etc. If they, MSE, lose this then all that happens is someone else can post on here pretending to be me, MSE will(well may) send me a heads saying they been breached, whereupon I change my password, and in my case my email address too. No great loss is there

debitcardmayhem

Yahoo Oath is currently trying to settle a class action for billions of Yahoo accounts that were hacked and every online email provider has been hacked.

Not true, my online email  has never been hacked due to the yahoo breach either. Facts not statistics nor the Dail Fail Website

dan958

Pescur said:

forgotmyname said:

Browser storing the password, but you cleared the autofill for the username/email? 
Once you type the user/email the browser thinks i have the password for that and autofills it?

On this companies login process there is no username nor is there a password,
You just enter your email address
They send a link
You click on the link 
and you have full access
So if your email account is hacked they are in.
As email accounts are some of the most vulnerable platforms it is grossly incompetent to use this system

It is a bit weird not being able to set a password, but even if you could, if someone could access your emails then they can reset your password anyway. This is why 2fa is so important, and I wouldn't use any serious accounts (banking) that doesnt support it.

I'm also still getting those 'your email has been hacked' emails, with a password I used 10 years ago from the companies that stored my password in plain text!