Recently I had to update my email on websites that I regularly use. As I began the process, I quickly discovered how insecure some them were. On websites such as Bank of America, Citi and Foursquare, it was frighteningly simple to change my email address with very little security or confirmation. While others such as Ebay, Facebook and Twitter had some of the best security combining confirmation links sent to the new email address, unique security codes and a confirmation box to re-enter your password even though you are logged in.
Chances are many of you probably use at least a few of these websites. So I thought it would be interesting to detail the best and worst examples of them.
The worst websites I ran into sent no confirmation or notification of changes to the user, or if it did, it was severely delayed.
A major financial institution such as Citi should have a pretty tight security and confirmation system, right? Well you thought wrong. With Citi, I was surprised to find that the only requirement was a simple update form within their website. Once submitted, a confirmation message appears saying “Your updates have been submitted and should take effect within 48 hours.”
That’s it! Not even a single email confirmation is sent immediately. I actually received my confirmation email about 24 hours later. In that amount of time, who knows what could happen.
How about a major banking institution like Bank of America. These guys probably have have a pretty solid system, at least I thought. Updating your email is pretty straight forward on their website.
Once your email address has been updated, a confirmation is sent immediately to both your old and new email address. However, I was surprised that no confirmation link was contained within the email to verify the change.
You would think Foursquare might have learned their lesson after it was revealed that they were storing usernames and passwords unencrypted in plain text on Android apps. Not so much. Foursquare allows you to update your email with absolutely NO confirmation notification whatsoever. A simple "Saved Settings" message is all you get. Maybe it’s time to do a security audit?
The best websites I ran into had multiple alert notifications, required the the user to confirm changes via an activation link and also required the user to re-enter their password to submit changes even when already logged-in.
Ebay had one of the most comprehensive confirmation systems. When your email address is updated a notice is sent to your old email address alerting of the change.
Bank of America or Citi are you reading this?
Facebook was similar to Ebay except one noticeable difference. In order to update your email, you must first confirm the change by re-entering your password, even though you are logged in. Most likely the result of the now infamous Firesheep hack.
Once your changes are saved, you are then sent confirmations to your old and new email addresses, with an activation link sent to the new email address.
Twitter also sent confirmation emails to both old and new email addresses and an activation link. However, it did have one design aspect that stood out from the rest. A persistent notification bar appears on the top of the page alerting users to confirm their new email address. A message also appears notifying the user that until a confirmation has been made, notifications will be sent to the current email address.