Should software accept data without suitable checks?

0
48
Tightened Security

The use of email in business is ubiquitous. Banks, commercial establishments and social media make use of email, either to communicate or as user names. Business houses not verifying the email IDs submitted by clients can lead to serious consequences or even humorous situations sometimes.

Should companies care if a wrong phone number or a wrong email is provided by the customer? The attitude appears to be that it is the customer’s problem. The trouble is that someone receiving the wrong email may not be happy either, and is less likely to ever use the services of an organisation that sends out emails to unverified recipients.

Loss of personal information can be significant. Here is an example of a stranger destroying a life for a perceived insult on social media — https://goo.gl/TfetuU. Imagine if a group gets upset and makes you a subscriber to thousands of mailing lists!

Dealings with a random bank

A few days back, I got a transaction alert, regarding the use of my debit card. The only problem is that I have no account with that bank! When I wrote to its customer help address, Microsoft Exchange asked me to try later as the mailbox was full.

The alert was from a town in Rajasthan. I found an email address of a branch and informed them that the email address for the transaction was not correct. I did not hear from them but a few days later, I got an email:

“We are pleased to inform you that your KYC details with <X> have been registered with Central KYC Registry.

“Please find enclosed your KYC record xx. The file is password protected. Please enter your date of birth in the format ddmmyyyy to open the file.”

I informed them that the KYC information regarding the email was incorrect. No response.

The number of password combinations is of the order of 365×50 (approximately 20,000). I am pretty sure that a script on even a desktop would find the valid password in well under a minute.

I continued to get an occasional alert. I was tempted to use the following to catch their attention:

“If not done by you, forward this email from email id registered with <X> to unauthorisedtransaction@x to block your card.”

I decided against this as the person may be as old as I am and, most likely, digitally illiterate. He would have to run around and nothing in the bank’s processes would change. So, instead, I set up a filter to send all mails from <X> to trash.

The unknown telecom company

I have a namesake in Punjab as well (not that I am particularly surprised). I got a telephone bill and I informed the company that the email address was incorrect. I got a polite response. However, for several months I continued to get the bills.

I probably was in an irritable frame of mind when yet another bill arrived, so I decided to send a sarcastic email.

“Very poor service. You insist on sending me a bill when I have never stayed in Jalandhar. Feel free to disconnect,” my message stated. I was rather surprised by the response (only the number has been removed — the rest of the text is as received):

“This is in reference to your e-mail asking for the disconnection.
“We would like to inform you that disconnection of your number xxx request has been forwarded to concerned department for further process and we will get back to you within 48 hrs.”

Obviously my effort at sarcasm had failed. Fortunately for my namesake, they called him regarding the disconnection (as I got an email informing me that as per their telephone conversation with ‘me’, the phone is working fine)!

Is this a difficult problem to address? No, it isn’t. Any organisation should realise that the person giving the data may make an error. If the data is given on paper, then there could be data entry mistakes as well. So, some checks are desirable. Most sites will not take your email at face value. They will send a message to the given address and expect you to take some action to confirm that it is indeed your email.

Sending an email is not hard at all. All you need is access to an SMTP server. Receiving and processing the response is not difficult either. You can include a URL with a code for the user in the message. So a click on the URL by the user is enough for you to confirm the email address.

It is easy to find sample code for this purpose, depending on the technology or framework you may be using.

Choose your email ID wisely

In a matrimonial ad, a prospective groom had given his email as replyto-x@gmail.com. Unfortunately, many of the responders sent the resumes of prospective brides to x@gmail.com, which happened to be my son’s email ID. Fortunately, his wife was very understanding!

LEAVE A REPLY

Please enter your comment!
Please enter your name here