Security News > 2020 > December > Pure frustration: What happens when someone uses your email address to sign up for PayPal, car hire, doctors, security systems and more

Many companies have no mechanism to deal with a common problem: when users open accounts using someone else's email address, either by accident or design.

The problem is not only that email addresses are easily spoofed - mitigated by mechanisms like SPF and DKIM - but that they also lack any robust process by which organisations collect email details.

Best practice is to treat any claim to an email address as suspect until the user has verified their ownership via a key sent to that address, but this is by no means universally followed, as well as being vulnerable to a confused recipient inadvertently clicking a confirming link.

"The most recent sign-up was to Paypal, so there are now 2 accounts linked to my email under 2 different aliases. Paypal's phone number does not work, the auto chat is useless and when you ask to speak to a person you get an apology 6 days later that they did not get back to you," he told us, though he does not think the person is actually able to log in to PayPal using this email address.

One of the problems is that most such emails come from email addresses helpfully marked "Do not reply." How then do you contact the company to inform them of their error? "It is always the same," he said.

News URL

https://go.theregister.com/feed/www.theregister.com/2020/12/08/pure_frustration_what_happens_when/