The Garden City Refugee

Musings from around the Niagara Region and elsewhere

Blog Home Archive About Curtis CurtisWalker.com

Insecure Security

September 10, 2024

As loyal readers may recall, many out there have been using a Gmail address of mine which I rarely quote to others to sign up for accounts with various websites. Unfortunately, this is a problem that continues unabated. As angry I am with those idiots, however, some of whom are repeat offenders that date back several years, I am probably more upset with the companies behind those sites. They make it so easy for someone to sign others up for their services, yet some make it nearly impossible for the legitimate owner of the email address to get out of their clutches.

Take, for example, a recent case when someone used my email address to sign up with a major e-commerce platform which offers online stores. For the sake of discussion, let’s call them Obnoxious Corp.

When the latest idiot to latch on to my Gmail address signed up for an account at Obnoxious Corp’s site, they asked for verification. This step adds extra security to your business by verifying you own this email, they say. But though I didn’t click the verification link, it didn’t stop them from creating the account. So in other words, it’s nice if you actually own the email address you signed up with that controls the e-commerce site you’re about to launch and is the primary method of contact between us, but it’s really not that big of a deal. We can worry about that later. Don’t sweat the petty details.

Moving on, this enterprising entrepreneur created a store as well as a payment account. Let’s get this party started, he must have thought. No doubt dollar signs were floating around inside his head. Could Lifestyles of the Rich and Famous be far behind?

But Obnoxious Corp threw a wrench into his plans. No, it wasn’t because his email address wasn’t verified. It was because he needed to submit a missing identity document before his payment account could be activated. Aw, shucks. But before tending to the payment account, he made sure to enable two-factor authentication for his login account. Every time he logged in going forward, he’d need to enter a code from Obnoxious Corp’s app. Security was obviously critically important to this guy, just as it is for Obnoxious Corp. And what could be more secure than two-factor authentication based on someone else’s email address?

As I normally do in such cases, I didn’t just leave the account there. Instead, I asked for a password reset, which logged the idiot out of his/my account and locked him out for good. Unfortunately, I was locked out as well, and with no way of deleting this account through the normal channels, I went to Obnoxious Corp’s support site. They offered a chat option, but they wouldn’t let me get through to anyone without knowing the details of the store this guy created. If only they had been this picky when creating the account, I thought.

This left me no other option than to pursue them via the X/Twitter route. Several hours later, someone responded and provided me with a link where I could get in touch with an agent. After some back and forth, the agent said, “I have great news! Right now, after checking my system I was able to find that we can solve your concern with an escalation to request the removal of this account and take down the store. I’m going to make the request with my specialized team and they will contact you through via email as soon as possible.”

They require a “specialized team” to delete an account? I wondered. But I was at least relieved that they’re taking care of it. With any luck, I would get an email shortly confirming the deletion. Yet nothing came. All I got from them was a marketing email the next day. Build your dreams with us, they say. Your store, your way. The best brands are built over time, which is why you can extend your trial for just $1. Take the time to get your store just right.

But don’t bother taking the time to get your email address just right.

Upon further investigation, in addition to having my email on the account, I had also been subscribed to various other marketing emails. How nice of Obnoxious Corp. So I was left to have to unsubscribe from each of them. At least I was able to do that much without going through support and needing the intervention of one of their “specialized teams.”

Two days later, I still hadn’t heard from them, so I followed up by replying to the email I got from the agent, quoting the ticket number. Perhaps not surprisingly, there was no reply. So two days later, I tried logging in. Maybe they had deleted the account and not bothered to send me an email, I thought. But sadly, the account was still there.

Sigh.

Using the chat link, I got in touch with another agent. “I have checked with our team and confirmed that the store connected with your email is already blocked by the team, and it will no longer work,” she said. “However, to complete erase the data from the system, it will take sometime. But you can be rest assured that the team have confirmed that they have already proceeded with this, so as soon as everything is done you will be notified on the same ticket.”

Sure takes a long time to delete an account, I thought. Must be government workers. If only it took this long to create an account.

Four days passed. Nothing from support. But they were kind enough to send me the details of an important update to my payment account, explaining how the funds will be transferred to another bank and what to expect during the process. It was especially kind of them considering that the payment account wasn’t even active because the idiot who created it hadn’t submitted an identity document.

Three more days passed. Finally something from an account security specialist on what they termed a “sensitive information takedown request:”

“Frank with Obnoxious Corp’s Account Security team here; I hope your day is going well. We have received your complaint that your email address has been used to create a store without your consent. I can advise that this store has been located and is no longer operational. If you would like to have your email address removed from our database and have the account deleted fully, this can be requested via our privacy portal.”

While the steam was pouring out of my ears, I wondered why the original agent or even the agent who responded via X/Twitter didn’t just send me there in the first place. Frank didn’t tell me anything I didn’t already know. But in any event, I went to the privacy portal and started the deletion request process. Interestingly, they wouldn’t let me proceed until I verified the email address. They make you verify it to get out, but not to get in, create a store and enable 2FA. Makes sense. Or not.

Having verified the email address, I also had to digitally sign “under penalty of perjury” that I was the rightful owner of the address. Only then would they submit the request, noting in the confirmation that I may be asked to provide additional details and that this request would be completed in a month’s time.

That’s right. An account created within minutes under my credentials by a third party without my consent needs six weeks and a big steaming pile of bullshit to fully delete. As I said when given the opportunity to provide feedback, “You folks should be embarrassed.” I might be a little more understanding if Obnoxious Corp was some mom-and-pop organization flying off the seat of their pants, but the truth of the matter is that they’re anything but. They’re a large, well-known outfit with customers from around the globe.

The original idiot who created the account doesn’t know how lucky he is that he never got the opportunity to get hooked up with Obnoxious Corp.

  Previous post    
×