Your privacy on Nokia Ovi Store

My friend Adam Greenfield recently complained about the over-engineering culture at Nokia:

I was given an NFC phone, and told to tap it against the item I wanted from the vending machine. This is what happened next: the vending machine teeped, and the phone teeped, and six or seven seconds later a notification popped up on its screen. It was an incoming text message, which had been sent by the vending machine at the moment I tapped my phone against it. I had to respond “Y” to this text to complete the transaction. The experience was clumsy and joyless and not in any conceivable way an improvement over pumping coins into the soda machine just the way I did quarters into Defender at the age of twelve.

It’s not that the NFC-based, phone-to-object interaction didn’t work. Of course it did: it had been engineered perfectly. But what it hadn’t been was designed. Those responsible for imagining the interaction apparently wanted to protect users against the (edge case!) contingency of someone making off with their phones and running up a huge vending-machine tab.

Today, I found out that the Nokia Ovi Store team could actually learn a few things about privacy and security from their engineers.

Yesterday, I received the following email on one of my personal addresses (name changed to protect the guy who used my email address to register):


Date: Thu, 24 Feb 2011 12:18:17 +0000 (UTC)
From: Nokia account
To: francois_@…
Subject: Welcome to your Nokia account


Hello Francoisxyz, and welcome aboard!

To experience the full suite of Ovi services, all you need to do is visit http://www.ovi.com. Alternatively, if you would like to update your Nokia account details, please visit https://account.nokia.com.

Please verify your email address by clicking the link below:

https://account.nokia.com/acct/verifyEmail?id=_____&lang=en

If clicking the link does not work, copy and paste the URL in a new browser window instead.

Thank you for joining and we hope you enjoy using Nokia services.

All the best,
Your friends at Nokia
http://www.ovi.com

Someone had used my email address to register on Ovi. The confirmation email looked quite standard and I ignored it, thinking that the registration wouldn't go through without my confirmation. (I receive a certain number of similar emails, I guess it's the price to pay for being among the first to grab my first name on popular services.)

Then today, I received this from NokiaMusic-no-reply@nokia.com:

Welcome to Music

Hi Francoisxyz,

Welcome to Ovi, the place to discover and download new music. Make sure you put this email somewhere safe because you'll need it in case you forget your Nokia account username - Francoisxyz. You won't be able to log into Music or any of the other Ovi services without it.

Your music, your way

There are millions of tracks from today's top artists and the legends of yesteryear on Ovi, spanning everything from dance to classical to rock. It's easy to get started - you can search for specific tracks, albums and artists or simply click through the genres, charts and playlists to see what's hot. If you want to know more about exploring music on Ovi, check out our help and troubleshooting page.

We're glad to have you with us.

What. The. F…! I immediately requested a password reset, which was nicely delivered to (you guessed it) my email address, and logged in to account.nokia.com to delete this profile. What I discovered at this point is that the profile was already filled in with the guy's real name, mobile phone number, country of residence, and various other personal information (I noted he likes being spammed since he authorized Nokia to send him any promotional info by both email and SMS). It took me about 10 seconds to find his Facebook profile and remind him that he should be a bit more careful when (ab)using someone else's email address.

As for Nokia, especially for a platform that wants to compete with the Apple App Store, this is appalling. Anyone who has a vague idea about security and privacy would not design a process where one can complete a registration process with a fake email address or worse, in this case someone else's address with the obvious risk — that I just illustrated — that personal information might be passed to a stranger.

If these examples are typical of the way Nokia designs things nowadays, I'm not betting on the wedding with Microsoft to stop that platform from burning.

Now let's see how long it takes for Nokia, which I'm sure cares about their customers privacy, to fix that security issue in their registration process…

[Update 28 Feb. 2011] I'm not sure whether the Nokia folks really understand the problem. Case in point, this tweet from @NokiaHelps:

@ubiquitic Account registration is verified either by email or tel. no. depending on selection during account registration. ^JR

I've proved above that Nokia does NOT verify the email address, no matter what they say. And verification by phone number does not alleviate the problem if, when the registrant has entered someone else's email address by mistake, the later receives the acknowledgment emails I have received and which allowed me to gain access to — and delete — an account that didn't belong to me.

Let me summarize the problem for short attention-span marketing/support folks:

If someone enters a wrong email address in their Nokia profile, anyone receiving the “confirmation” emails from Nokia will be able to highjack the account.

Is that clearer ?

6 Comments

Isn't it what Nokia is about ? Connecting people :-P

François, thanks for commenting on this. We're very sorry that this was your (and the other gents) experience.


Please let me know directly if any other issues and I will make sure they are addressed.

Best,
Jason Madhosingh
Ovi Product Marketing

Thanks Jason for noticing this promptly. However I don't read anywhere in your response that you're actually going to fix this problem on the Ovi Store. The fix is very simple and you have two options:

1. either you do not ask for further personal information before you have actually confirmed that the email address belongs to the person creating a profile. In this case the process is:
- ask for the email address
- send the same confirmation email that you currently send
- wait until the person has clicked on the confirmation link before continuing with the registration process

2. or, if you think that is is more straightforward to let people fill-in a minimum of personal information at once:
- ask for the minimal information you need but make clear that the profile and services won't be activated until the email is confirmed
- send the confirmation email
- prevent any further use of services, especially login and password reset until the registrant has clicked on the confirmation link in the email

Both ways would have prevented me from gaining access to someone else's personal information.

Thanks-- we are looking at which options will work best for all users, on all canvasses. These are good suggestions.

There will always be edge cases (someone entering the incorrect email address) such as this, and of course we trust our users to know/use their personal information appropriately.

We will look for ways to be more forgiving when a user makes a mistake like this, and of course, the trick is to try and balance those checks with the best possible experience for the non-edge cases.

So-- briefly, yes, we will work to fix this, and thanks for giving excellent user feedback into the process.

Best
Jason

please help me to activate the ovi in my nokia c1 phone

Leave a comment

More or less related entries

Monthly Archives

Recent Entries

  • Steve Jobs

    "Remembering that I’ll be dead soon is the most important tool I’ve ever encountered to help me make the big choices in life. Because...

  • Your privacy on MOTOBLUR by Motorola

    After the Nokia Ovi Store carelessness, it's now Motorola who's allowing strangers to get access to your private information on their MOTOBLUR portal. Exactly like...

  • How to resume a broken ADC download

    (I'm documenting this trick for myself to remember, but it can be useful for others…) Apple, on its Apple Developer Connection site, has a bad...

  • WTF is this ‘myEventWatcherDiv’ doing in my web?

    All of a sudden I started to find the following line in most of the web pages I was browsing, including ones I made where...

  • Your privacy on Nokia Ovi Store

    My friend Adam Greenfield recently complained about the over-engineering culture at Nokia: I was given an NFC phone, and told to tap it against the...