[Owasp-austin] Email address as login

Matt Tesauro mtesauro at gmail.com
Wed Oct 8 16:25:06 EDT 2008


I'm only hitting one point for now.  I'll try and send more info when I
get the chance as I've got the clock ticking on an up coming meeting.
Luckily I type fast...

> Management's desire is for user convenience, and they cite many sites
> with stored payment information that use email address as login (Amazon,
> Paypal, etc.).

I had a similar argument along those lines.  What you need to think
about is if Amazon & Paypal's customer profiles match your customer
profiles.  In my case, it was totally opposite.

Here's my point:  For my case, we don't get $'s from the users in
question.  So for us, compromised accounts represent a cost without any
income to offset the loss.

The real question for you is if the increased income from making logins
easier will be greater than the costs from the loss of sensitive data.
Considering PCI requirements, increasing legal requirements for breach
notification, etc, you will really need to look at the revenue gained by
user convenience.  I have no idea of your revenue models, but estimating
the cost of a breach may give you some good numbers to work with.  Don't
forget to consider soft costs like loss of reputation, goodwill, etc.

I'm not saying email address is universally bad.  I'd love to have Jeff
Bezos's income.  Email address seems to be working for him.  What we
don't know is what mechanism(s) are in place at Amazon to mitigate that
risk.  They could basically be self-insuring by accepting a revenue loss
for account compromise, assuming their revenue is adequate.

HTH.  Off to meeting.

-- Matt Tesauro
OWASP Live CD 2008 Project Lead
http://www.owasp.org/index.php/Category:OWASP_Live_CD_2008_Project
http://mtesauro.com/livecd/ - Documentation Wiki

Chris wrote:
>  
> 
> I'm managing a team that is creating a web based account system. The
> accounts will have stored payment information, as well as access to an
> online game. Management has requested that we use email addresses as
> account login name. This seems counterintuitive to me from a security
> perspective for several reasons:
> 
>  
> 
> half of the equation for login
> 
> password reset mechanism uses that address with no other validation
> 
> we don't control email security for our users
> 
>  
> 
> The actual known risks of risks of account compromise are these:
> 
>  
> 
> compromised accounts can bill non-shippable, virtual goods to legitimate
> owner's payment method
> 
> compromised accounts can block access to legitimate owner with no
> secondary proof of ownership
> 
>  
> 
> Management's desire is for user convenience, and they cite many sites
> with stored payment information that use email address as login (Amazon,
> Paypal, etc.).
> 
>  
> 
> I am wondering if anyone has any opinions on the security of this type
> of system, or published works that they could point me to. Are the
> security risks for "email address as login" extreme paranoid edge cases,
> or do sites that use this have a fair amount of security issues that
> they offset with massive income?
> 
>  
> 
> Thanks
> 
>  
> 
> Chris
> 
>  
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Owasp-austin mailing list
> Owasp-austin at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-austin


More information about the Owasp-austin mailing list