Friday, March 24, 2017

E-mail addresses as user IDs: stupid policy

Once again, Apple is facing a "hacking" fiasco that may have resulted from its own amateurish user-ID policy.

It's not that Apple was hacked; the problem is that millions of E-mail-address/password combinations have fallen into the hands of hackers. And those combinations are what Apple now forces you to use as your Apple ID, instead of letting you create a proper user ID. That is an ignorant policy.

Your E-mail address is on spammers' lists.  When you cross-reference these lists with lists of common passwords, you get a boatload of cracked accounts. And when forced to set up a log-in ID that is an E-mail address, what percentage of the public thinks they have to use (or simply decide to use) the same password that they use for their E-mail account?  I'm guessing at least a quarter.  So now these sites put every user's personal E-mail account at risk, regardless of where it is.   That's why this policy is a monumental security blunder.

If ANY service you use suffers a hack or information theft that includes your E-mail address and password, that combination can be used to access other services (like Apple's) that insist on this ignorant user-ID policy. And indeed, Apple confirmed that this is exactly what happened: "The alleged list of email addresses and passwords appears to have been obtained from previously compromised third-party services."

Here's another example of how this policy sets Apple and its customers up for security breaches and stolen data:

While in this case there's a software defect involved, it still demonstrates how a spammer (who of course already knows your E-mail address) only needs to acquire your password; he can auto-populate the "user ID" field with your E-mail address, making it look legit.

You don't see banks forcing you to use an E-mail address.  Nor brokerages.  Nor credit-card companies.  Hell, even the most obscure comment forums let you set up a legitimate user ID.  But not Apple.

Aside from the glaring security problem, there's common sense.  We all have numerous E-mail addresses by now, and many people's addresses change over time. Which one did I use to sign up for this or that Web site months or years ago?  And when an address goes defunct, people think they need to set up a new ID.  Apple tells users that their Apple ID must be a functioning E-mail address; now they have a boatload of customers with multiple Apple IDs each, preventing them from managing their iTunes/App Store purchases or downloading updates because Apple refuses to consolidate the accounts that its own ignorant policy created.

Of course, Apple's not the only tech company making itself look like amateur hour online.  Amazon has also "taken steps" in response to this attack, but has failed to fix the glaring user-ID problem.  A while back, LinkedIn was caught uploading people's calendar appointments from their mobile devices, and compromising millions of users' passwords.  The first of these was an unauthorized transmission of users' data (in clear text, no less), an offense against users (not to mention Apple's clearly stated policies).  The second was just a failure.

But consider the source: LinkedIn joins Facebook, PayPal, and Apple in their requirement that your user ID be an E-mail address.  The sheer ignorance of this policy undermines any security-related credibility its source might have.

Users shouldn't sit back and shrug this off.  You don't need to roll over for businesses that steal your time and allow others to steal your identity or data.  Use this form to tell Apple that this policy is unacceptable.  Point them to this post or paraphrase it; we need to stop this ignorance.

You can read more about this debacle at The Next Web.  And here's another massive data breach that's going to be much worse because of this asinine policy.

User IDs aren't the only playground for incompetence.  Here comes United Healthcare, screwing up the password field with another offensive policy.