Trying to update the email address on numerous accounts, and 9/10 require that I call or contact support via email to get that done.
Trying to update the email address on numerous accounts, and 9/10 require that I call or contact support via email to get that done.
Is this new, or have online accounts never offered the ability to update your email address easily?
I don't know your specifics, but implementing adequate security and being mildly infuriating often go hand in hand by necessity.
Permanently Deleted
Being able to update or rotate email addresses is a security matter, so I'd rather have that control than not.
For example, someone mentioned that if a bad actor had access to your email, they would be able to access all your accounts.
But I would argue that if your email address was compromised, and you needed to change the login email for important accounts as a counter-measure, this wouldn't be an easy option. So this bad actor would have more control over your accounts (i.e. resetting passwords) than the user.
I don't mind implementing strong security, as it's often done when setting up an account for the first time, getting 2fa enabled, etc. But updating an email shouldn't be this difficult. My banks allow me to do it, but our local sporting good store doesn't? Come on! 😂
I'm not going to go down the route of arguing whether or not the bank should allow it to be easy to change your email address, but if somebody has compromised your email with the intention of compromising your other accounts, they are going to change the email addresses and passwords on those accounts before you have a chance to react, and you're going to be on the phone with each one of those institutions anyway. You don't hear a lot of this happening anyway, because it's usually a lot safer to con somebody out of their money than it is to smash and grab out of their accounts, and probably as easy if not easier.
As for the sporting goods store, I can imagine a couple of reasons for their decision, but it probably has as much to do with spamming your email as it does security, if it has anything to do with security at all.
Your email is often the only method used/available to recover an account you've lost access too. Changing it requires absolute certainty that it is the account owner making the change.
It's frustrating, but a necessary evil imo.
At least changing it is an option; many places build their account systems around your email being immutable. If you want to change it, you've gotta make a new account and request anything you can't manually move be moved over for you.
At least changing it is an option; many places build their account systems around your email being immutable.
Aka: "we outsourced development, and they determined it was easiest to make your email address a primary key in the database"
I have never used a single service that require me to contact support for an email change. Moreover, they email you a link to verify and if you don’t, the email remains unchanged.
There’s literally no panic button for an email change not sure what era you’re computing in but it ain’t from the last 15 years.
Your email is often the only method used/available to recover an account you’ve lost access too.
Unfortunately, this is a weak security practice that really is used everywhere.
2fa helps mitigate the risk. An alternative email or even (cringe) a phone authentication is better than email recovery.
Changing it requires absolute certainty that it is the account owner making the change.
While that sounds good, it's really not reality. An angry spouse, who would have access to their partner's email address through a shared computer (for example), could easily wreak havoc by using this exploit.
But if that partner used random email addresses and strong 2fa, there's almost no risk.
There's unfortunately a fine line between too-easy access to someone's accounts, and losing all your account if you forget the login details. I'm willing to take the latter option, because it's less convenient for me (if that ever happens), but far better than if your data got into someone else's hands.
Getting back to my OP... the vast majority of these accounts are not important enough for me to even worry about account security, so not being able to change the email address is just a poor user experience. My bank was by far the easiest to change emails on! LOL
Unfortunately, this is a weak security practice that really is used everywhere.
This we can agree on.
I cant think of a single account that I've had to call anyone to change, as long as I had access to both email addresses (the one I was changing from and the one I was changing to).
I recently changed my personal email. Updated every account I knew of (thanks Bitwarden!!). Updated about 120 accounts, closed maybe 20, and 5 or so can’t be changed.
Of the ~120 that I changed, I think about half of them were easy to change. Not much confusion. There was a clear enough process. Etc. Most of the rest were difficult to change but I could do so on my own eventually.
Something like ~10 accounts required emails and phone calls to support.
A few were terrible. Things like updating my email address in 10 places for one account. Or the updates go fine but just didn’t work, requiring many repeat attempts or phone calls.
So it’s a real problem in my experience. But not the norm. Maybe 1/10 rather than 9/10
I wish!
I tried to ditch Gmail completely and a year later I still have some services (my kids school etc) where the Gmail email is my login even though I’ve changed the email. Not possible to change the login.
I’ve run into that a few times, but usually just on financial sites or services where an attempted account hijack may be likely, and it’s ultimately a good thing. There have been one or two where it seemed entirely unnecessary though, so I get the frustration.
Yeah, anything handling sensitive data (medical, legal, financial, etc) absolutely needs stringent and thorough processes for completely changing login information (i.e. email address). But random superfluous websites I use for entertainment or socializing? Get outta here.
anything handling sensitive data (medical, legal, financial, etc) absolutely needs stringent and thorough processes for completely changing login information (i.e. email address).
Hardware-based 2fa would be nice, but it seems that these same organizations are among the only which DON'T have hardware-based 2fa and insist on texting codes, instead.
None of them actually take security seriously, even through all of them should be!
People are often easier to hack than a proper MFA solution.
but usually just on financial sites or services
Funny enough, all my banks allow me to change my email address easily through their app or website! And they DON'T offer strong 2fa, so security is the least of their priorities.
But so many sites, like our local hardware site or G2A (for buying software keys) don't, and I'd rather close the account (done through their website, no less!) than go through the hassle of contacting support.
Imagine if you have your email compromised then it is too easy to loose all your accounts if changing the email is easy
Not really.
Someone would need to know what accounts you have (which are not stored on my email), then know the password to access them.
That's if they are able to bypass the 2fa I have set on each account that offers it.
And it's also too bad for them, because I use different email address per account, which can be rotated and changed (if the damn site allows you to update your email).
You need to have good security for all your accounts, and allowing a user to rotate email addresses between various websites, is as important as allowing me to update my password whenever I like.
Really, the inconvenience of not allowing me to change my own account far outweighs the unlikelihood that anyone would compromise my email address (hasn't happened in over 25 years, and that's with having at least a dozen different email addresses).
Someone would need to know what accounts you have (which are not stored on my email)
Aren't they?
Access to your emails means access to your messages. If I see you get a lot of Amazon email, I can reasonably assume you have an Amazon account.
Most services send you emails at least on registration.
then know the password to access them.
Nope. Because I have your email account. And the usual method for resetting a password is via an email sent to your email account. That I've already compromised.
That’s if they are able to bypass the 2fa I have set on each account that offers it.
That last part is a pretty big asterisk. Sites that offer it are in the minority still. That also assumes your 2FA method isn't email.
And it’s also too bad for them, because I use different email address per account, which can be rotated and changed (if the damn site allows you to update your email).
You do realise the average person will never do this, right?
There are massive collections of databases online that find where breaches have occurred allowing attackers to dump the database of that service, then collect all those database dumps together to identify all known accounts under an email address. Then once that email account ever has a password breach attackers can look up and see 'was this password used also on other accounts' and attempt to use the same email and password on them. Moreover they will just try that email regardless of known affiliation, if they already have a user name and password across many online services, it's safe to assume this will work sometimes. This is the essence of a credential stuffing attack.
https://www.abc.net.au/news/2023-05-18/data-breaches-your-identity-interactive/102175688
I've used abc here since I believe they write better for a lay person.
Edit: I should mean to say, they can also create a profile of you and your many email addresses as demonstrated.
Man that does sound mildly infuriating.
I wish it was easier sometimes, but it can be a security issue.
It's a security issue to NOT allow the updating of email addresses, though.
If I have to contact support to do any mundane change to an account, my email usually begins with 'Delete my account'.
Security measures, most probably.