Pure frustration: What happens when someone uses your email address to sign up for PayPal, car hire, doctors, security systems and more

Messsage Center: Call this number. Number: Use the Message Center.

Many companies have no mechanism to deal with a common problem: when users open accounts using someone else's email address, either by accident or design. "I have had a barrage of account creation requests that will fail ... also a large number of invoices, warranty emails and so on for purchases, from furniture to electronics," a reader informed us.

Email is perhaps the nearest thing to a universal identity system for the internet, but if it is such a thing, it is much flawed. The problem is not only that email addresses are easily spoofed - mitigated by mechanisms like SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) – but that they also lack any robust process by which organisations collect email details.

Best practice is to treat any claim to an email address as suspect until the user has verified their ownership via a key sent to that address, but this is by no means universally followed, as well as being vulnerable to a confused recipient inadvertently clicking a confirming link.

We know many of these problems first-hand. Gmail accounts that are commonly abused in this way, and journalists were among early adopters who got seemingly attractive email addresses like forename.surname@gmail.com, which seem prone to this misuse. Google has made it worse because it treats email addresses as identical irrespective of the presence or whereabouts of the dot, so foo.bar@gmail.com is identical to foobar@gmail.com or f.oobar@gmail.com, in that all are received by the same gmail account.

"Thank you for choosing Europcar," says an email received a few days ago by one of our team, for a booking in Rome that is unknown to the recipient – complete with a special "manage your booking" link that could presumably cause mayhem if clicked. They also got a record of every transaction made by a credit card used by a customer of First National Bank Texas, appointment reminders for a dentist in Wisconsin, USA, alerts from Experian for a credit record for a mystery person in the USA, and account statements for a security company in Carolina.

Catch 22: The PayPal version

Our reader has issues with internet banking giant PayPal, among others. It all started, he said, when "I received an email from a US company with a receipt for shipping of a phone."

This came to his Gmail address, though without the dot he habitually uses between first and second name. Since then he has received numerous emails which he thinks relate to the same person, including invoices and warranties.

"There are login requests to Etsty and a few others where it appears he is trying to sell things to pay for his new purchases and recently an authentication confirmation request to a finance management company followed by a credit notice email with attached pdf (promptly deleted for privacy reasons)," our reader told us.

An example email received from PayPal, to an email recipient that has not knowingly opened an account. Points to note: this is not merely a verification email; it does seem to be really from PayPal according to the usual checks; and it cannot accept replies.

An example email received from PayPal to an email recipient that has not knowingly opened an account. Points to note: this is not merely a verification email; it does seem to be really from PayPal according to the usual checks; and it cannot accept replies

"The most recent sign-up was to Paypal, so there are now 2 accounts linked to my email under 2 different aliases. Paypal's phone number does not work, the auto chat is useless and when you ask to speak to a person you get an apology 6 days later that they did not get back to you," he told us, though he does not think the person is actually able to log in to PayPal using this email address.

He then encountered a special PayPal version of Catch 22: "The Paypal message center gave me a number to ring. The number took me through the usual maze and then the automated message said they could not help over the phone and I had to use the message center."

One of the problems is that most such emails come from email addresses helpfully marked "do not reply." How then do you contact the company to inform them of their error? "It is always the same," he said. "I need to log in to contact support, which I refuse to do as I do not have rights to view his data … emails to support addresses are not responded to."

The simple solution is to delete all such emails without reading them, but there are troubling aspects to this approach. First, there is the good citizen aspect: one would think that (unless engaged in fraud attempts) all these bank accountholders or hirers of vehicles would prefer that their transaction details were not sent to an unknown third party.

Second, there is the worry that something underhand may be going on and that it is the beginning of an attempt at identity theft; or that some unpleasantness around unpaid invoices might ensue. Resolving the error is to the benefit of all parties.

We have, on occasion, had success with approaches to Twitter support accounts - which typically do not require a login before they will engage with you – or website chat agents; but it can be remarkably difficult to get the message through to the right person that no, you are not their customer, and could they please stop spamming you.

We asked PayPal for comment but while it has offered to investigate our reader's issue, the company has not come back with any general remarks on why this kind of thing is allowed to happen or what its non-customers should do when it does.

In the meantime, the message to web developers is: send just one verification email to customers setting up accounts, preferably complete with an option for "no this is not me"; and if there is no response, delete the email address and never send another one. ®

Broader topics

Other stories you might like

  • Pentester pops open Tesla Model 3 using low-cost Bluetooth module
    Anything that uses proximity-based BLE is vulnerable, claim researchers

    Tesla Model 3 and Y owners, beware: the passive entry feature on your vehicle could potentially be hoodwinked by a relay attack, leading to the theft of the flash motor.

    Discovered and demonstrated by researchers at NCC Group, the technique involves relaying the Bluetooth Low Energy (BLE) signals from a smartphone that has been paired with a Tesla back to the vehicle. Far from simply unlocking the door, this hack lets a miscreant start the car and drive away, too.

    Essentially, what happens is this: the paired smartphone should be physically close by the Tesla to unlock it. NCC's technique involves one gadget near the paired phone, and another gadget near the car. The phone-side gadget relays signals from the phone to the car-side gadget, which forwards them to the vehicle to unlock and start it. This shouldn't normally happen because the phone and car are so far apart. The car has a defense mechanism – based on measuring transmission latency to detect that a paired device is too far away – that ideally prevents relayed signals from working, though this can be defeated by simply cutting the latency of the relay process.

    Continue reading
  • Google assuring open-source code to secure software supply chains
    Java and Python packages are the first on the list

    Google has a plan — and a new product plus a partnership with developer-focused security shop Snyk — that attempts to make it easier for enterprises to secure their open source software dependencies.

    The new service, announced today at the Google Cloud Security Summit, is called Assured Open Source Software. We're told it will initially focus on some Java and Python packages that Google's own developers prioritize in their workflows. 

    These two programming languages have "particularly high-risk profiles," Google Cloud Cloud VP and GM Sunil Potti said in response to The Register's questions. "Remember Log4j?" Yes, quite vividly.

    Continue reading
  • Rocket Lab is taking NASA's CAPSTONE to the Moon
    Mission to lunar orbit is further than any Photon satellite bus has gone before

    Rocket Lab has taken delivery of NASA's CAPSTONE spacecraft at its New Zealand launch pad ahead of a mission to the Moon.

    It's been quite a journey for CAPSTONE [Cislunar Autonomous Positioning System Technology Operations and Navigation Experiment], which was originally supposed to launch from Rocket Lab's US launchpad at Wallops Island in Virginia.

    The pad, Launch Complex 2, has been completed for a while now. However, delays in certifying Rocket Lab's Autonomous Flight Termination System (AFTS) pushed the move to Launch Complex 1 in Mahia, New Zealand.

    Continue reading

Biting the hand that feeds IT © 1998–2022