Sunday, June 03, 2018

Transacting business over unverified email addresses = Not Smart

On April 21, I recieved an email from 'SGW Payroll' [sgwpayroll.com and paydashboard.com]:

Welcome to the SGW Payroll Portal [Redacted First Name]
A new employer admin account has been created for you, either by one of your colleagues or by us at SGW Payroll Ltd.
Please click on the following link to choose a password and sign in to your account. [Redacted Link]
You are receiving this email as your employer uses PayDashboard to deliver your payslip. Click here to manage your email preferences.
This welcome email looked phishy, so I checked the headers, then the payroll site, and it looked legitimate. I'm in the US, this company is in the UK. It is pretty obvious this was a mistake - likely bad entry of email address, but note the lack of any method for me to indicate there was an error. Therefore I ignored the email hoping that the intended recipient would realize they did not get the expected welcome email and correct the problem.

On April 25, I get another email:
SGW Payroll Ltd has published new documents for [Redacted - Name of Business] within your document storage hub. Log in to view or download the documents.

This was bad.  Looks like there is now an active account - mind you, an 'employer admin account', that somehow, without clicking the link, they started to use.  I also now have the name of the business.  At this point, I decide this could be a real problem, so I forward the email to support@paydashboard.com with the message "I did not request this, it is likely someone mistyping their email address."  I get an automated response, then a reply from "Paul Gibbons" from their support: "Thank you for your email. We have started an invesitigation [sic] to have this removed. Thank you for bringing this to our attention." Awesome. Case closed.

On May 21, almost one month later, I get yet another email - same template as the prior one.  I respond back to the support request as follows:
I received another email today. Please resolve this. I am not the intended recipient.  There is no 'investigation' required. You are in the UK. I am in the USA. I do not work for this [Busness type redacted].  At this point I consider this to be:
  1. Horrendous security on your part.  Any email address entered into your system should have a 'confirm' step where you send an email to test the ability of the recipient to receive an email. They click on a link and log into your system. Only then should you consider the email address 'worthy' of use for anything sensitive.
  2. Even MORE Horrendous security on your part. Someone sending you a reply saying they are NOT the intended recipient should IMMEDIATELY result in removal of the address, flagging it as suspect.
Please have a supervisor/manager contact me immediately. I really do not wish to engage in a public humiliation campaign against your company. You are sending someone else payroll information!!!!!!!!!!!!!!!  This is crazy!!!!!!!!!!
I get a response, again from Paul Gibbons: "You [sic] ticket has been escalated to myself to review. I will speak with the agent populating our software to establish what is happening and will revert back."  That's awesome. I ask for elevation, and the SAME GUY elevates the issue to HIMSELF.

I decide to take a closer look at the company's website to find contact information for someone outside of support. No luck.  I now have a name of their CISO but am unable to find an email address at the corporate level or via linked in.  I reply to Paul: "Paul, you 'reviewed' it the first time, and did not correct the issue. Please have Jeremy Lloyd contact me, ASAP." To which I received the reply from Paul: 'We will respond once the investigation has been completed.' I give Paul one more chance to fix this.

On June 1, I recieved another email:
There are a couple of things you might want to take a look at
Hi [Redacted - First Name]

As we are able to compare data based on your employees payslips, we want to let you know when we spot something we think you should take a quick look at.

When you log in to your Employer Dashboard you will see "Notifications" at the top right of your dashboard. Click on the link to view the latest notifications for your company. [Redacted - Name of Business, links, rest of email, etc]
In response, I will send Mr. Gibbons a link to this post.

Since this saga began, I have received several other emails obviously intended for a person in the UK with a similar email address to mine.  From the information in these emails, I can tell you full names, address, purchases, restaurant reservations, bed and breakfasts where they spent their holiday, etc. I can also tell you that no entry point into various systems required even a simple 'click to confirm this is you' email address confirmation. I could have cancelled a dinner reservation with a simple click.  It sounds a bit scary, but I have to believe most people would do the right thing. 

Advice to developers and analysts, especially with GDPR:

  1. At a minimum, you need a business process to handle a 'I got this email by mistake, it is not intended for me' response from a user. Always. It could be completely manual. But this DOES HAPPEN.
  2. At any entry point into your system - a welcome email or similar - provide a link to initiate that 'incorrect email' business process. Every email from that first contact until the email address is determined to be valid should have a similar link, and NOT disclose personal information. Only consider an address to account valid when a link clicked from an email (or a code sent only via email) is authenticated as being from that user.  This does not need to be a login per-se, but a text message from a registered phone, etc. could all be valid. 
  3. An unconfirmed email address should never be the sole means by which you reset a password or create an account. [NOTE: I did not try to see if I could do this with PayDashboard, as I consider that to be fraud. I would be surprised if I couldn't reset the password].
  4. Some email providers ignore punctuation, like gmail.  Others also allow automatic aliasing, such as gmail, where you can add a "+" with other text and the plus and text are ignored.  This is great for users, as I can filter emails based on this. However, accidental creation or intentional creation of multiple accounts is possible based on wont of a period.  This is something to be aware of, I'm not sure how actionable it is.
  5. You should publish an email address or a method of contact for the executive team of your company. It should be monitored and legit messages forwarded. Sometimes through poor training, incompetence, or merely one person having a bad day, an interaction with your company WILL go poorly. You should give a method to reach the executive team so that these can get handled sooner rather than later.