Is this new, or have online accounts never offered the ability to update your email address easily?
I don’t know your specifics, but implementing adequate security and being mildly infuriating often go hand in hand by necessity.
deleted by creator
Being able to update or rotate email addresses is a security matter, so I’d rather have that control than not.
For example, someone mentioned that if a bad actor had access to your email, they would be able to access all your accounts.
But I would argue that if your email address was compromised, and you needed to change the login email for important accounts as a counter-measure, this wouldn’t be an easy option. So this bad actor would have more control over your accounts (i.e. resetting passwords) than the user.
I don’t mind implementing strong security, as it’s often done when setting up an account for the first time, getting 2fa enabled, etc. But updating an email shouldn’t be this difficult. My banks allow me to do it, but our local sporting good store doesn’t? Come on! 😂
I’m not going to go down the route of arguing whether or not the bank should allow it to be easy to change your email address, but if somebody has compromised your email with the intention of compromising your other accounts, they are going to change the email addresses and passwords on those accounts before you have a chance to react, and you’re going to be on the phone with each one of those institutions anyway. You don’t hear a lot of this happening anyway, because it’s usually a lot safer to con somebody out of their money than it is to smash and grab out of their accounts, and probably as easy if not easier.
As for the sporting goods store, I can imagine a couple of reasons for their decision, but it probably has as much to do with spamming your email as it does security, if it has anything to do with security at all.
but if somebody has compromised your email with the intention of compromising your other accounts, they are going to change the email addresses and passwords on those accounts before you have a chance to react
Well, I’m only doing to disagree because it’s impossible to log into my important accounts without being notified by texted and/or being asked for a 2fa authentication.
The way I see it, changing an email address doesn’t really do any damage, only causes inconvenience.
I’d be more worried about changing a shipping address and using a saved credit card to make real purchases. That’s what companies should protect against, but I’ve never had to prove my residence to any of them.
As for the sporting goods store, I can imagine a couple of reasons for their decision, but it probably has as much to do with spamming your email as it does security, if it has anything to do with security at all.
They’re actually pretty good with NOT spamming, but I did email their customer service to ask how I can change my email address, and they asked that I call.
Your email is often the only method used/available to recover an account you’ve lost access too. Changing it requires absolute certainty that it is the account owner making the change.
It’s frustrating, but a necessary evil imo.
At least changing it is an option; many places build their account systems around your email being immutable. If you want to change it, you’ve gotta make a new account and request anything you can’t manually move be moved over for you.
At least changing it is an option; many places build their account systems around your email being immutable.
Aka: “we outsourced development, and they determined it was easiest to make your email address a primary key in the database”
I have never used a single service that require me to contact support for an email change. Moreover, they email you a link to verify and if you don’t, the email remains unchanged.
There’s literally no panic button for an email change not sure what era you’re computing in but it ain’t from the last 15 years.
Your email is often the only method used/available to recover an account you’ve lost access too.
Unfortunately, this is a weak security practice that really is used everywhere.
2fa helps mitigate the risk. An alternative email or even (cringe) a phone authentication is better than email recovery.
Changing it requires absolute certainty that it is the account owner making the change.
While that sounds good, it’s really not reality. An angry spouse, who would have access to their partner’s email address through a shared computer (for example), could easily wreak havoc by using this exploit.
But if that partner used random email addresses and strong 2fa, there’s almost no risk.
There’s unfortunately a fine line between too-easy access to someone’s accounts, and losing all your account if you forget the login details. I’m willing to take the latter option, because it’s less convenient for me (if that ever happens), but far better than if your data got into someone else’s hands.
Getting back to my OP… the vast majority of these accounts are not important enough for me to even worry about account security, so not being able to change the email address is just a poor user experience. My bank was by far the easiest to change emails on! LOL
Unfortunately, this is a weak security practice that really is used everywhere.
This we can agree on.
I cant think of a single account that I’ve had to call anyone to change, as long as I had access to both email addresses (the one I was changing from and the one I was changing to).
I recently changed my personal email. Updated every account I knew of (thanks Bitwarden!!). Updated about 120 accounts, closed maybe 20, and 5 or so can’t be changed.
Of the ~120 that I changed, I think about half of them were easy to change. Not much confusion. There was a clear enough process. Etc. Most of the rest were difficult to change but I could do so on my own eventually.
Something like ~10 accounts required emails and phone calls to support.
A few were terrible. Things like updating my email address in 10 places for one account. Or the updates go fine but just didn’t work, requiring many repeat attempts or phone calls.
So it’s a real problem in my experience. But not the norm. Maybe 1/10 rather than 9/10
I wish!
I tried to ditch Gmail completely and a year later I still have some services (my kids school etc) where the Gmail email is my login even though I’ve changed the email. Not possible to change the login.
I’ve run into that a few times, but usually just on financial sites or services where an attempted account hijack may be likely, and it’s ultimately a good thing. There have been one or two where it seemed entirely unnecessary though, so I get the frustration.
Yeah, anything handling sensitive data (medical, legal, financial, etc) absolutely needs stringent and thorough processes for completely changing login information (i.e. email address). But random superfluous websites I use for entertainment or socializing? Get outta here.
anything handling sensitive data (medical, legal, financial, etc) absolutely needs stringent and thorough processes for completely changing login information (i.e. email address).
Hardware-based 2fa would be nice, but it seems that these same organizations are among the only which DON’T have hardware-based 2fa and insist on texting codes, instead.
None of them actually take security seriously, even through all of them should be!
I agree, texted codes are not very secure and it honestly surprises me how common that quasi-2fa implementation still is. Granted, common thieves/scammers don’t typically go thru the hassle of emulating your number and generating a false sim card in order to intercept text messages meant for you. So, it’s still better than nothing, at least.
People are often easier to hack than a proper MFA solution.
but usually just on financial sites or services
Funny enough, all my banks allow me to change my email address easily through their app or website! And they DON’T offer strong 2fa, so security is the least of their priorities.
But so many sites, like our local hardware site or G2A (for buying software keys) don’t, and I’d rather close the account (done through their website, no less!) than go through the hassle of contacting support.
Imagine if you have your email compromised then it is too easy to loose all your accounts if changing the email is easy
Not really.
Someone would need to know what accounts you have (which are not stored on my email), then know the password to access them.
That’s if they are able to bypass the 2fa I have set on each account that offers it.
And it’s also too bad for them, because I use different email address per account, which can be rotated and changed (if the damn site allows you to update your email).
You need to have good security for all your accounts, and allowing a user to rotate email addresses between various websites, is as important as allowing me to update my password whenever I like.
Really, the inconvenience of not allowing me to change my own account far outweighs the unlikelihood that anyone would compromise my email address (hasn’t happened in over 25 years, and that’s with having at least a dozen different email addresses).
Someone would need to know what accounts you have (which are not stored on my email)
Aren’t they?
Access to your emails means access to your messages. If I see you get a lot of Amazon email, I can reasonably assume you have an Amazon account.
Most services send you emails at least on registration.
then know the password to access them.
Nope. Because I have your email account. And the usual method for resetting a password is via an email sent to your email account. That I’ve already compromised.
That’s if they are able to bypass the 2fa I have set on each account that offers it.
That last part is a pretty big asterisk. Sites that offer it are in the minority still. That also assumes your 2FA method isn’t email.
And it’s also too bad for them, because I use different email address per account, which can be rotated and changed (if the damn site allows you to update your email).
You do realise the average person will never do this, right?
Access to your emails means access to your messages. If I see you get a lot of Amazon email, I can reasonably assume you have an Amazon account.
Yes, you can assume EVERYONE has a Google, Amazon, Facebook, or Reddit account, right?
But this is why I use different email addresses. You’d never be able to use one of my email address across services, so not having the ability to secure my own accounts makes no sense.
But I will say that having strong email security pretty much eliminates this hypothetical risk.
Most services send you emails at least on registration.
Delete those. Why keep them?
Nope. Because I have your email account. And the usual method for resetting a password is via an email sent to your email account. That I’ve already compromised.
2FA prevents this.
I should be able to mitigate a website’s weak security practices by being able to modify all aspects of my account.
That last part is a pretty big asterisk. Sites that offer it are in the minority still. That also assumes your 2FA method isn’t email.
I agree, and while I think that plenty of websites still have a long way to go, let the user do what they can to further secure their account… by rotating email addresses easily.
You do realise the average person will never do this, right?
They should. I don’t think security-minded folks should have to suffer because other people don’t care or don’t know.
Plus, there are more services that offer very easy, one-click options for generating new email addresses per account. Anyone who cares enough would already know.
I’d also note that often 2fa can be disabled with access to the registered email account. People lose shit, services have to offer recovery options. That’s usually via email.
There are massive collections of databases online that find where breaches have occurred allowing attackers to dump the database of that service, then collect all those database dumps together to identify all known accounts under an email address. Then once that email account ever has a password breach attackers can look up and see ‘was this password used also on other accounts’ and attempt to use the same email and password on them. Moreover they will just try that email regardless of known affiliation, if they already have a user name and password across many online services, it’s safe to assume this will work sometimes. This is the essence of a credential stuffing attack.
https://www.abc.net.au/news/2023-05-18/data-breaches-your-identity-interactive/102175688
I’ve used abc here since I believe they write better for a lay person.
Edit: I should mean to say, they can also create a profile of you and your many email addresses as demonstrated.
Those are full-blown attacks from hackers, so I’m sure they could profile you from bits of data across the net.
But if a layperson is using a different email per account, different username, a strong password, and 2fa, it’s going to be very hard to infiltrate their accounts, or even associate one account from another.
Not giving people the option to change their email makes a hacker’s job much easier!
Not giving people the option to change their email makes a hacker’s job much easier!
What?! How!?
Layperson uses same email, same username, same password and 2fa only if it is required for an account.
Anything more and they aren’t the layperson anymore. They are security conscious that they use difffrent passwords or password manager.
Anything more and they become paranoid (rightfuly or not, it isn’t for me to judge as there are jobs that require as much protection as possible)
When an email is compromised, changed and there isn’t any footprint due to deletion of any suspicious activity then laypersons whole internet presence is compromised.
Emails will keep incoming into the same inbox when there is suspicious activity, if email can’t be changed easily
Well, I’m not a security expert, yet I do thesr things.
Having a single email address for everything not only compromises your security, but it’s a spam nightmare.
And having one email makes you an easier target compared to having one different email per account. It’s just a numbers game.
A hacker or bad actor may gain access to one, but not all of your accounts.
Most people may not be as security savvy, but that’s likely because companies don’t really do much to encourage good security practice.
They lack 2fa, they use horrible “what’s your mother’s maiden name?” questions, and e-mail based account confirmation. I don’t blame people for not hardening their accounts when they aren’t even given good options to.
I literally am a security expert and the only thing I change between accounts is my password, which I put in a password manager.
With that said I do have other usernames/email addresses that I use if I’m doing something that I don’t want attached to my public persona. These can also be stored in the password manager so all is still good.
But individual email addresses per account is overkill and a management nightmare, with a very minimal security tradeoff. I’m not exactly expecting a state sponsored attack on my email after all.
But individual email addresses per account is overkill and a management nightmare
Since I use a password manager, it’s quite easy to manage, just like different passwords for each account. No difference.
But having different email addresses also help with reducing spam, so it’s worth it just for that.
Now I’m not part of this, but a international student just got scammed $170 000 dollars over 3 months. They believed that the police had seized their Australian bank account and were contacting them related to their identity being stolen. It wasn’t at the time of call, but the international student, maybe 25, was fully profiled. They knew where he studied, who they had been talking to. At the time of call, the poor kid thought he was talking to the police, gave every bit of information including bank account which had mfa, but undid it and and followed the scmmers requests believing he would be deported. He called home to his parents and asked them for more money even in order to build a new account because he believed is other one was frozen, the new account was under order and control of the scammer who this kid trusted. The scammer even made this kid move into a hotel for a week as their “premise needed to be searched” it wasn’t for a month after this that it was found because the kid believed he couldn’t tell anyone before the school (where he was attending but kept leaving to take calls which is a no no) had to tell the kid that absenteeism will result in the student visa being cancelled. At that point it all came out, month and more of being scammed.
My point is, no it’s not business. Just look at the YouTubers, just watch Jim Browning. Just ask people, it’s a multi billion dollar industry. And it’s not limited to rules like ‘business’.
I wish it was easier sometimes, but it can be a security issue.
It’s a security issue to NOT allow the updating of email addresses, though.
Man that does sound mildly infuriating.
If I have to contact support to do any mundane change to an account, my email usually begins with ‘Delete my account’.
Security measures, most probably.