Revise Multifactor Authentication security for Yahoo! mail (I detected an issue with mail)
As is commonly known, phone numbers are recycled after their allotted usage. This means that when a user's phone enters recycling, their authentication number is recycled back into use.
This presents a significant security flaw. When a user's phone enters recycling, their authentication number is recycled back into use.
Since Yahoo! does not require a user to know an email address to recover an account but only a phone number, this presents a significant security flaw.
The new buyer of an old phone number can login to Yahoo! mail, type the phone number and access the email of the previous number owner without knowing the email address. Requiring him to type the email address would solve the problem.
isubmit MultiFactor Authentication phone numbers to regular testing and pruning, and requiring people who use phone verification key to enter the email address so that there is no collision and the previous owner of the number’s email does not become accessed by someone else.
As an alternative, Yahoo! could deactivate all email accounts which have been inactive for 12 months, and not only some accounts. That would ensure that the buyer of an old phone number would not be able to gain access to the previous phone number owner's email without knowing the email address.
9 commentsComments are closed
In response to Product Support - Yahoo is now requiring your phone number to be added to contacts in order to access your Email now. Product Support's response is incorrect. The phrase "phone number or alternate email address" is actually "phone number AND alternate email address".
Yahoo Product Support should also look up IMEI cloning. Using a phone number is by no means secure. Even old fashioned telco physical lines are not secure (childs play to tap). Considering the amount of junk Email Yahoo pushes into your inbox, the phone number likely just another way (contact point) to advertise to its users. Yet more robo-calls. Suggestion to Yahoo - back away from using phone contact requirement to log on.
We, the users of Yahoo! mail are concerned for the security of our emails and because this issue could cause so much confusion.
Yahoo! must take this into consideration.
Phone numbers are regularly recycled. If I buy a new phone number, I could easily access the Yahoo! mail of the PREVIOUS OWNER of that number. It doesn't even require me to type the email or first and last name.
All it asks me to type in is the phone number, and it sends me the SMS which contains the access key. It lists multiple emails and I can pick any. This is a serious security threat for Yahoo! mail users because I can buy a new phone number, type in the number, receive the SMS and access the Yahoo! mail of the PREVIOUS OWNER of that number.
This could lead to so much confusion. A friend has told me that this has actually happened to him once.
Simply requiring people to type credentials such as name or the email address BEFORE they receive the SMS which contains the access code, would end this problem and avoid much confusion. It is a simple solution. Will Yahoo! do anything about this?
Yahoo! mail should do something about this. Simply requiring them to type the email or credentials before they receive the SMS. That would make us Yahoo! mail users feel more secure, and not everyone is aware of this flaw.
Recommending us to update our account recovery information and removing any unwanted number is not enough, as there are many people who are not even aware that access to the Yahoo! of the PREVIOUS OWNER of the phone number is so easy.
Yahoo! mail users want to feel safe, and this would prevent confusion for people who were not aware of this.
Simply require people to type their name or Yahoo! mail address before you send them the SMS which grants them access to the mail.
Thanks. A friend said that he once bought a new phone number, entered the number into the login, received the access key, and then accessed the email of the previous owner of the number.
Simply requiring the person to type the email address/credentials/first and last name before sending him the SMS which contains the verification code, would end the problem entirely.
Also not all accounts that are inactive for 12 months are deactivated, only some
Christina Kirkman commented
Yes, something should be done about this, I'm surprised that is all it takes to gain access to an account.
Briana Huddleston commented
This sounds like a great idea! Clever!
bob bob commented
That doesn't sound good.
Anthony Stringfellow commented
submit Multifactor Authentication phone numbers to regular testing and pruning*
As you know, old phone numbers are periodically assigned to new owners. Yahoo! mail allows the new buyer of an old phone number to receive a verification key without knowing the email address or having to enter the first and last name of the email. This means that confusion might happen and might lead to security issues for Yahoo! users. The new buyer of an old phone number can login to Yahoo! mail, type the phone number and access the email of the previous number owner without knowing the email address. Requiring him to type the email address or first and last name before gaining access would solve the problem.