A large national organisation decides to implement a new national email system available to all new and existing staff members who have an entry in the national directory.
In order to make the registration as easy as possible they pre-feed the directory with nearly 700000 names and email addresses of existing staff.
Now in order to register for your account, you go to the website and search on surname and the first few letters of your first name, this produces a list of all the matching accounts from the directory which have not yet been registered for the new mail system. Once you have found your entry, you select it, check a few details are correct, then click on a link to confirm that you are who you say you are. Then it’s on to set passwords and suchlike.
Guess how many checks are in place to ensure that you can only register in your own name, and to stop other people registering as you?
The entire registration system relies on honesty, which as has been proven many many times, is something a lot of people lack. There is absolutely nothing stopping someone registering as any one of nearly 700000 people. The only way to stop someone registering as you is to register yourself first.
Which people are the least likely to use a PC and register for their account? The Chief Executive and Director level users who would be the most likely users to target if you wanted to cause mischief.
Whoever thought up that security model needs taking out and shooting. I can’t believe anyone is naive or stupid enough to think that it would work. However this system went live yesterday morning.
I give up, I really do.