Analyzing Email Account Creation: Expectations v/s Reality

Vishal Kumar

Department of CSE, BTKIT

Dwarahat, Almora, Uttarakhand, India

vishalkumar@kecua.ac.in

Kunwar Singh Vaisla, SMIEEE

Department of CSE, BTKIT

Dwarahat, Almora, Uttarakhand, India

ksvaisla@kecua.ac.in

Jaydeep Kishore

Department of CSE, SIT

Pithoragarh, India

jaydeepkishore@gmail.com

Abstract—Email is the most used mode of communication in

the present era. Email account is now our necessity as it is part

of all application forms on the Internet. We have identified

some deficiencies of the present email account creation system

by available email service providers and discuss a previously

unconsidered avenue by which a user can create any number

of fake accounts without restriction. We present the results of

our study on the most popular email service providers. Our

approach is simple and analyze that it is an easy task to harm a

known by creating such fake accounts instead of compromising

others accounts which is more tedious. We also outline our

defense mechanisms to mitigate creation of fake email accounts

and enhance security.

Keywords-Privacy; Identity; Online social networks; Email;

OTP

I. INTRODUCTION

There are around 2.2 billion Email users in the world [1]

and over the past few years the internet user arises due to

immense popularity of online social networks. People who

sign up for these services trust the system with their personal

information. A lot of work is done to identify fake data,

images or identities on online social media [2, 3]. With the

increase in the usage of social networks, we need to concern

about privacy and security. Public awareness on privacy

concerns and vulnerability has grown, but still many users

remain incognizant of the potential for their personal

information to be used or compromised by malicious

attackers, and, in some cases, the service providers

themselves. We investigated to understand that malicious

adversaries try to gain information about other people’s

accounts using fake accounts. The privacy policy intends to

secure user data but do we really need to secure fake data.

The survey says Facebook [17] has 8.7% bogus accounts

roughly count 83 million accounts [4]. The main cause

behind fake accounts is the fake email accounts. It means if

we want to overcome this problem we need to track back.

These malicious accounts are also a play a vital role in

phishing. Therefore the consequeses of the fake email

accounts may result in damage, chaos and monetary losses in

the real world. We are giving the related work in the next

Section II. In Section III, we are presenting our experimental

work to create fake accounts on various popular email

service providers. Section IV indicates the results from these

experiments. Section V shows defense mechanisms to

mitigate this problem. Section VI concludes our paper with

some future work to be done.

II. RELATED WORK

A lot of work is done by the researchers and academicians on

social networks like spam detection, networking, privacy and

security. The authors in [5] review different security and

privacy risks which threaten the well-being of OSN users and

illustrate different classic threats with real-life scenarios. M.

Egele et al. [6] developed a tool, called COMPA to detect

compromised user accounts in social networks on Twitter

and Facebook. The approach uses a composition of statistical

modeling and anomaly detection to identify accounts that

experience a sudden change in behavior. A. Gupta et al. [7]

analyzed malicious content posted online during Boston

crisis event on Twitter and show that large number of users

with high social reputation and verified accounts were

responsible for spreading the fake content. L. Bilge et al. [8]

investigate automated crawling and identity theft attacks

against a number of popular social networking sites. In this

paper we are investigating the actual cause behind the scene

i.e the fake email accounts on the internet.

III. THE EXPERIMENT

We identified following questions regarding deficiency in

the present email system. How efficient is our email service

system? Is it efficient enough to trace out fake email

accounts? The experiments on popular email service

providers expose the deficiencies of the present system. We

created fake email accounts on popular email service

providers like yahoo [13], rediff [14], gmail [15] and hotmail

[16]. In this paper, we focus on measuring the disparity

between the desired and the actual scenarios of creating a

new email account.

We started our experimental work with Hotmail. The

process of account creation needs inputting all the data like

name, Date of Birth, mobile number, and even alternate

email account details as bogus. We were offered to choose a

username. The hotmail mainly focus to create a strong

password to ensure safety to user accounts. To create a

strong password, it should have Capital letter, numerals and

symbols. You must take care that your password should not

contain your first or last name. Users can reset their

password; given two choices either enters your mobile

number or an alternate email account. At last input your

2014 Fourth International Conference on Communication Systems and Network Technologies

978-1-4799-3070-8/14 $31.00 © 2014 IEEE

DOI 10.1109/CSNT.2014.126

597

2014 Fourth International Conference on Communication Systems and Network Technologies

978-1-4799-3070-8/14 $31.00 © 2014 IEEE

DOI 10.1109/CSNT.2014.126

597

location to complete sign up along your

surprising that neither the mobile num

email account was verified. A new em

welcome message is ready to use.

TABLE I. USER ATTRIBUTES FOR NEW E

Attributes Descrip

Name

F_Name

Name of the user who owns

Username

combination of alphabets a

special symbols

Password

combination of alphabets a

special symbols

Date of Birth User must be 13+

Gender Comes with 3 options M/F/

Mobile Phone

It offers 2 advantages; sec

password

Alternate Email

Email account on any other

in case of resetting the pass

Location Nationality

We repeated the same experimen

procedure requires similar inputs as d

comparing we found the difference a u

mobile number or an alternate email acc

email account on rediff. In lieu user c

question. A new email account with a w

ready to use. A user account on

compromised as it allows opting your

password.

In other words password creation o

practice. We continued the process on ya

data filling is same as earlier. Yahoo em

strong password similar to Hotmail. I

alternate email then you need to h

questions. Yahoo lacks the same defi

mobile number unverified.

Finally, we ended new email accoun

Undoubtedly, Email creation is bette

Gmail. The two-step verification on G

account by sending OTP on your mobil

opt to receive the codes either through T

or via voice call. Once you verify the cod

means you are an authorized user.

IV. RESULTS

Nearly half of the users who have a

are members of some online social netw

dependent on email services to create

social network shown in Fig. 1. It mean

is the root cause of fake accounts on so

analyzing the attributes listed in Tabl

attributes are sufficient to develop a de

restrict fake account creation. During a

can willingly feed wrong entry like nam

create bogus account. The drawback is t

r postal code. It was

ber nor an alternate

mail account with a

EMAIL ACCOUNT

ption

M_Name L_Name

s the account

and numerals excluding

and numerals including

/other

curity and resetting the

r email service provider

sword

nt on Rediff. The

discussed above. On

user does not require

count to create a new

can opt for security

welcome message is

Rediff easily be

own name as your

on rediff suffers bad

ahoo. The process of

mphasize on creating

If you do not have

have some security

iciency and left the

nt creation on Gmail.

er and effective on

Gmail verifies your

le number. You may

Text messages (SMS)

de received on phone

access to the Internet

works [10]. Users are

a profile on online

ns that email account

ocial networks. After

e 1, we found that

efense mechanism to

account creation user

me or Date of Birth to

that no email service

provider verifies the data in

wants an email account with

possible in the current system

still there is no way to verify

Yahoo ask for the user mob

verify the correctness of the n

is working or not, valid or no

code on it. It represents that

formality.

Figure 1. (a) Sign U

Figure 1. (b) Sign U

nputted by the user. Suppose A

h a fake name B. It is easier and

m. Even if A is a genuine user,

fy her data. Rediff, Hotmail and

bile number, but none of them

number like whether the number

ot simply by sending verification

t collection of data is merely a

Up Process of Facebook

Up Process of Twitter

598598

Figure 1. (c) Sign Up Process of

Figure 1. (d) Sign Up Process of

Figure 1. Sign Up Process of popular onl

We found that only Google offers t

when a user create his new Accoun

verification code on the mobile number

to access your account. Google offers

account verification either of two m

verification, user gets a unique PIN a

number. Upon entering that PIN, the acc

and the user is authorized to access accou

charge for SMS verification.

The method to receive verification c

call. Even Google can be fooled using

offers virtual mobile numbers to sen

messages or voice calls. A CAPTCH

deployed by all email service provider

networks for guarding account reg

posting, and so on [9].

f Pinterest

f LinkedIn

line Social Networks

two step verification

nt. Google sends a

which must be feed

to receive one-time

methods. With SMS

at the mobile phone

count will be verified

unt. Google does not

ode is through voice

Pinger [12]. Pinger

nd and receive text

HA is ubiquitously

rs and online social

gistration, comment

V. THE PROPO

In our experiment, we fo

any email service provider

need to search for the solution

assuming user mobile numb

inputted by the user. Assum

mobile number during email

has two approaches:

A. Using Truecaller

Truecaller [11] is a global

smart and feature phones, and

site, developed by True Soft

contact details globally given

has an integrated caller ID s

achieve call-blocking func

integration to keep the phon

and birthdays. The name has

it returns true name of the ca

between the email service p

verify the entered mobile

application returns the nam

location where the SIM is reg

Figure 2. Tru

This approach has its own

get information of the mobile

and the same can be used to c

B. Using Identity Resolution

This scheme of identit

processes- Identity search and

• Identity search process

operator’s database to

information obtained from

• Identity matching proces

search process in the form

in the case if data m

Identity matching proces

the data available with

with the one inputted by

OSED SOLUTION

ound that the data requested by

is sufficient. It means that we

n within these attributes. We are

er as the mandatory field to be

ming that all users provide their

creation, our proposed solution

l phone directory application for

d also accessible through its web

ftware Scandinavia AB. It finds

n name or telephone number, and

ervice using Crowd sourcing to

ctionality and social media

nebook up-to-date with pictures

been given to the application as

aller. An interface can be created

providers and the Truecaller to

e number by the user. The

me of the user along with the

gistered.

ue Caller Screen

n limitations. A user can fool to

e number owner simply on trials

create an account.

n

ty resolution follows in two

d identity matching.

sends a request to the mobile

look and verify the desired

m the user.

ss is the outcome of the identity

m of valid or invalid data. Valid

matches and invalid otherwise.

ss calculates similarity between

the mobile operator’s database

the user.

599599

The methodology is shown in Figure 3. The user

communicates with the email service provider which in

return communicates with the mobile operator for the valid

data.

Figure 3. Methodology

a. Identity Search

For a user U, given her identity and her mobile number as

a verification parameter S that would be a search parameter.

The email service provider would send a request to the

mobile operator for verification.

Any search method takes a source and a set of search

parameters as input and retrieves a set of candidate items

which hold similar values for the search parameters. For an

identity search algorithm, source can be given identity and

search parameter a mobile number on her identity

dimensions.

b. Identity Matching

The data supplied by the email service provider matches

with mobile number user data that with the mobile operator

means the user is genuine. We need to create a function i.e a

matching function that would return value 1 if query sent

matches with the mobile operator data and 0 otherwise.

VI. CONCLUSION

This paper primarily focuses on deficiencies in the

present email account creation system. We addressed defense

mechanisms to mitigate the problem but there are some

challenges associated with it like network congestion,

reliability, as well as policy issues between mobile operators

and internet giants. The present email account creation

system by popular free email service providers is effective

but not efficient. Therefore the consequeses may result in

damage, chaos and monetary losses in the real world. We

hope, at least the study in this paper would contribute in new

research directions.

We are developing a mathematical model to calculate

complexity due to network traffic. We would like to conduct

a larger study for identification of existing fake email

accounts. As a next step, we would like to mitigate existing

fake accounts and analyze network congestion due to

additional verification tier.

REFERENCES

[1]. http://royal.pingdom.com/2013/01/16/internet-2012-in-numbers/

[2]. A. Gupta, H. Lamba, P. Kumarguru and A. Joshi, “Faking Sandy:

Characterizing and Identifying Fake images on Twitter during

Hurricane Sandy,” 2nd International Workshop on Privacy and

Security in Online Social Media (PSOSM), in conjunction with

the 22th International World Wide Web Conference (WWW)

2013.

[3]. P. Jain, P. Kumaraguru, and A. Joshi, “@I seek 'fb.me':

Identifying Users across Multiple Online Social Networks,” 2nd

International Workshop on Web of Linked Entities (WoLE), in

conjunction with the 22th International World Wide Web

Conference (WWW) (2013)

[4]. 83 million Facebook accounts are fakes and dupes

http://bit.ly/Np3seb.

[5]. M. Fire, R. Goldschmidt, Y. Elovici “Online Social Networks:

Threats and Solutions Survey” CoRR abs/1303.3764 (2013)

[6]. M. Egele, G. Stringhini, C. Kruegel, and G. Vigna” COMPA:

Detecting Compromised Accounts on Social Networks” 20th

Annual Network and Distributed System Security

Symposium, NDSS 2013, San Diego, California, USA, February

24-27, 2013.

[7]. A. Gupta,, H. Lamba,, and P. Kumaraguru, “$1.00 per RT

#BostonMarathon #PrayForBoston: Analyzing Fake Content on

Twitter”. IEEE APWG eCrime Research Summit (eCRS), 2013,

San Francisco,USA, 16-18 September 2013.

[8]. L. Bilge, T. Strufe, D. Balzarotti,and E. Kirda “All your

contacts are belong to us: automated identity theft attacks on

social networks” 18th international conference on World wide

web (WWW-2009).

[9]. M. Motoyama, K. Levchenko, C. Kanich, D. McCoy, G. M.

Voelker, and S. Savage, “Re: Captchas: Understanding

CAPTCHA-solving services in an economic context,” 19th

USENIX conference on Security (SEC’10), 2010.

[10]. Global Publics Embrace Social Networking. PewResearchCenter,

2010. http://pewglobal.org/2010/12/15/global-publics-embrace-

social-networking/

[11]. www.truecaller.com

[12]. www.pinger.com

[13]. www.yahoo.com

[14]. www.rediff.com

[15]. www.gmail.com

[16]. www.hotmail.com

[17]. www.facebook.com

600600