Scott has been receiving emails from Sprint for several months now. The emails are kind and courteous and they thank him for his payment. They’re in plain text, no links. It’s not spam. It’s a real email from Sprint. The problem is that it’s not for Scott’s account. The emails are intended for another Sprint customer, but are for some reason being sent to Scott. Scott emailed Sprint’s customer service about the situation, but armed with only Scott’s email address that they had been sending payment receipt emails to, they just couldn’t figure out who should actually be getting the emails.

So Scott and I decided to set out and see what we could find out from just the email address. First, we went on to Sprint’s site and saw the login area of the webpage:

The "forgot username" link looked inviting, so we clicked there. Now all we have to do is enter the email address:

Email address entered and sent. Shortly afterward we received an email with the username. Success! But wait, what’s this? The email conveniently contained a link to the forgot password page:

Ok, Sprint, now you’re just making this too easy. We entered the email address and username and then received another email with a customized link to set a new password. Yes, that’s all it took. We now have full access to this guy’s account and all because he put in the wrong email address. We’re nice guys and all, so we logged out and sent an email to Sprint with the username to see if they would finally rectify the situation.

So here’s the question of the day: Is Sprint’s site truly secure? Should an email address really be treated as the key to the kingdom and allow anyone with access to the email address access to everything else? Shouldn’t at least one security question (no matter how secure (or insecure) they actually are) have been asked somewhere in this process? The concept of security and usability being at odds has been floated around a lot. Making something more secure tends to make it less user friendly and vice versa and while everyone wants their web site and application and product to be as easy to use as possible, security simply shouldn’t take a back seat.

In a world where multi-factor authentication is readily available, something like this just shouldn’t happen. There are plenty of different one time security tokens (some with screens and some that act as virtual keyboards), finger print scanners, and many other solutions that are orders of magnitude more secure than a password (especially passwords with an email address backdoor).

So when you’re designing your next web site, or web application, or regular desktop application, stop and think through all the different avenues that deal with authentication and security. Think about what can be done if an attacker has only one authentication factor, or if an attacker gains control of the email address associated to a user’s account, or if an attacker figures out one or more answers to your security questions. Are you comfortable with what the attacker can or cannot access? Is a little loss in usability and ease of use worth the extra security to prevent these sorts of attacks?

What scares me is that had Scott and I been not so nice of guys, we could have signed this poor sap up for Sprint’s Family Locator service and tracked him and his family right on their web site:

Now tell me how secure that is…