Securing the Tech: Email Confirmation

Many of us have been annoyed when we sign up for a service and find that we have to go check our email to complete the process. I know I have been.

Called an email confirmation loop, this process is actually an incredibly important security step. This insures that the service has a confirmed channel for communicating with their new user.

Earlier today I checked an email account I don't look at very often. It had been a few months since I looked at it, but I don't use it for much. I found several emails from a cable company (I won't name which) to a new customer of theirs we will call Dan for his (or maybe her) protection. The first email notified Dan that they would use this address to contact him in the future. Almost there, but there was no confirmation of the email address, just "OK, we will use this."

The next few emails were very concerning. There was on confirming an appointment to set up Dan's new service. This message had his name, phone number, home address, and account number. It also included the services that Dan had signed up for and the date and time of his installation appointment. There was another email notifying Dan that his bill was due soon with the amount due in the message.

I don't know who input the email address wrong. I imagine it was an employee of the cable company taking the information over the phone. It may have been Dan writing it down on a paper form. It may have been an online form that Dan filled out. It doesn't matter. This company should have confirmed the email address before sending private information out to who knows whom.

To be frank, they shouldn't have sent this information across the Internet in an unsecured email. Send an appointment confirmation sure, but don't include the personal information about Dan in it.

Either way, all I should have seen was a message confirming Dan's email address telling me to disregard the message if I wasn't Dan. There should have been a link for Dan to click so that they would know he saw it.

For the record, I am not mad that I got the email. I called the cable company and informed them that they had the wrong email address for Dan. They took the address out of their database and flagged the account to notify Dan that he needed to update his email the next time they get in touch with him. It took five minutes. I was happy to do it. I would appreciate someone doing the same for me. This just should not have happened to begin with.

However, I have seen worse. Last year I started getting mail for a Comcast customer (a company I have no problem at all naming and dragging through the mud). I don't know how they got my address, but I was not this gentleman. After I got his bill, not just promotional material in this guy's name, I called Comcast and informed them they had the wrong address. After about a half hour on the phone I was told there was nothing they could do, just throw the bill away. I continued to receive the bill for this account for several more months, including some saying that they were time sensitive.