LUWS Account Security Breach

Share discussions around the Classic Local Unit Website (LUWS).
edwardlalone
New Member
Posts: 31
Joined: Sun Apr 01, 2007 2:17 pm
Location: Orem, UT

Postby edwardlalone » Fri Jul 17, 2009 7:49 pm

I noticed that one idea about why this has happened hasn't been suggested and that people are being to quick to assume that there is a sinister motive behind why this has happened instead of a simple clerical mistake.

If the "victim" (if they are really a victim) knows the person who has access to the account it may be because their names appeared next to each other on a membership list or some other clerical mistake was made when signing people up for a LUWS account.

Let's not forget that there was no confirmation of identity under the old LUWS login when you signed up and someone would have no idea that they signed up using the wrong membership number if they were in the same ward at that time. This is avoided now because a person is asked to confirm that they are JANE DOE who was born on 01 Jan 1960.

I just helped a member of my ward whose brother was accidentally signed up with his information. All the information on the account was his brothers but his membership number was the one being used. We know that his brother did not intend for it to happen so we simply took the LDS Account back but if you are worried you should follow up to make sure that the other member doesn't continue to use the membership record number but I strongly suspect that this was a simple mistake as was the case with two brothers of my ward (one who no longer lives in this ward). Since they are also brothers there isn't any reason why one would have used the others information except that they had appeared next to each other on a membership list or a clerk wrote down the wrong record number and confirmation when he gave it to the member.

I don't see any valid reason for someone to deliberately sign up under another person's membership record number and since you aren't getting any response from this other person it's entirely possible that the person who used that email no longer uses that email account and has no idea that it is happening. This would especially be the case for young people who frequently change email addresses or older people who no longer have a computer.

Let's not be quick to assume that this was a deliberate act because if it was it would be stupid to use an email address with your real name when you are taking someone else's account. You would use their information and create a fake email address. :eek:

User avatar
aebrown
Community Administrator
Posts: 15123
Joined: Tue Nov 27, 2007 8:48 pm
Location: Sandy, Utah

Postby aebrown » Fri Jul 17, 2009 8:34 pm

Edward Lalone wrote:Let's not forget that there was no confirmation of identity under the old LUWS login when you signed up and someone would have no idea that they signed up using the wrong membership number if they were in the same ward at that time.


Even for the old LUWS login, you had to also supply a confirmation date. I suppose someone might have been given both the membership number and confirmation date that belong to someone else, but it seems a pretty long shot that the confirmation date would be so close to correct that the member would think it was reasonable.

But you're right that it all does seem a bit odd, and we don't have enough information to make assumptions as to why this was done.

edwardlalone
New Member
Posts: 31
Joined: Sun Apr 01, 2007 2:17 pm
Location: Orem, UT

Postby edwardlalone » Fri Jul 17, 2009 8:51 pm

Alan_Brown wrote:Even for the old LUWS login, you had to also supply a confirmation date. I suppose someone might have been given both the membership number and confirmation date that belong to someone else, but it seems a pretty long shot that the confirmation date would be so close to correct that the member would think it was reasonable.

But you're right that it all does seem a bit odd, and we don't have enough information to make assumptions as to why this was done.


I don't know about his specific situation but I can speak for the two brothers in my ward where on brother signed up using his brothers membership record number. I suspect that if the wrong membership record number is provided to a member then the wrong confirmation date would also be provided.

Most people don't remember their confirmation date and wouldn't question a date given to them by their Clerk or Membership Clerk. If the date was 20 or 10 years off then someone may catch or if they are a convert as is my case. I can provide my confirmation date and priesthood ordination from my memory because I know exactly when they happened but someone who was baptized and confirmed when they were children would have to have a good knowledge of the doctrine of baptism and confirmation and understand that it happened when they were 8 (this is still not true of all non-converts). Most members of my ward would be very unlikely to catch an error in their confirmation date.

I even helped sign up a girl for the website whose birth date was wrong on her membership record and she didn't catch it until three or four tries. :confused:

dmaynes
Member
Posts: 233
Joined: Sat Nov 01, 2008 9:50 am
Location: Pleasant Grove, Utah

Postby dmaynes » Sat Jul 18, 2009 5:23 am

RussellHltn wrote:How are you doing this? The only way I know is to draft a broadcast email and then record all the results. I'm not sure if it's still true, but I seem to remember that only showed the first 100 addresses.


1. Extract the list of registered users (with e-mail addresses)
2. Draft a broadcast email, select the group, then "view source" on the preview screen, copy and paste the e-mail addresses from the page source, save the e-mail addresses in a file.
3. Compare the registered user list with the lists extracted from each broadcast list that you extracted.

A little tedious, but not too hard. It helps if you have tools that can extract data from the HTML source code lists.

dmaynes
Member
Posts: 233
Joined: Sat Nov 01, 2008 9:50 am
Location: Pleasant Grove, Utah

Postby dmaynes » Sat Jul 18, 2009 6:02 am

Edward Lalone wrote:I noticed that one idea about why this has happened hasn't been suggested and that people are being to quick to assume that there is a sinister motive behind why this has happened instead of a simple clerical mistake.


I agree this could happen. When it comes to potential security breaches, I am a very paranoid person. It probably comes from being risk averse. I tend to presume the worst scenario so that I can seek the best remedy. If I am to make a mistake, I feel like it is better to err on the side of protecting the innocent.

I don't know the advice I would give to another ward administrator in a similar situation. If the account hijacking were unintentional, then just talking to people would clear the matter up. But, if some malfeasance were present, you would be potentially dealing with an unstable person. That would be very, very different.

lajackson
Community Moderators
Posts: 9573
Joined: Mon Mar 17, 2008 9:27 pm
Location: US

Postby lajackson » Sat Jul 18, 2009 8:38 am

Alan_Brown wrote:I suppose someone might have been given both the membership number and confirmation date that belong to someone else, but it seems a pretty long shot that the confirmation date would be so close to correct that the member would think it was reasonable.


Perhaps they were twins?

russellhltn
Community Administrator
Posts: 28799
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

Postby russellhltn » Sat Jul 18, 2009 11:37 am

dmaynes wrote:I should have recognized this security breach a lot sooner than I did.


I disagree. All of those steps you've outlined fall under "magnifying one's calling". It's well above and beyond what I'd expect of an administrator.

I'm not saying it's wrong to do them. The steps you've outlines are good for those who want to do that. But I think it's wrong to beat yourself up for not doing them. Particularly since you haven't mentioned anything that made you suspicious prior to that.
Have you searched the Help Center? Try doing a Google search and adding "site:churchofjesuschrist.org/help" to the search criteria.

So we can better help you, please edit your Profile to include your general location.


Return to “Classic Ward & Stake Sites (LUWS)”

Who is online

Users browsing this forum: No registered users and 1 guest