LDS Account, MRN security, and mobile tools

Church Account is the primary user account (user name and password) for accessing online Church resources. Church Account was formerly known as LDS Account. This forum is a space to discuss all things related to Church Accounts (registration, account recovery, user experience, vulnerabilities, etc.).
User avatar
aebrown
Community Administrator
Posts: 15100
Joined: Tue Nov 27, 2007 8:48 pm
Location: Sandy, Utah

Thread split

Postby aebrown » Fri Jan 28, 2011 2:13 pm

Moderator's Note: For those who are following this lively discussion, please note that I have pulled the posts that are now in this thread from the thread New Mobile Apps Available. This topic was quite distinct from that thread, and this discussion was obscuring other posts that were germane to that topic.

Even within this new thread, there are three discussions. One is related to the security issues involved with accessing the mobile web services via LDS Account, another is related to whether the data accessible via those web services will include the MRN, and third relates to the security of the MRN as a key identifier in obtaining and securing an LDS Account. But those three discussions are so intertwined that I couldn't figure out how to separate them.

I also moved this discussion to the LDS Account forum, since it is much more related to LDS Account than to mobile apps (even though it does involve both, and MLS, and a few other topics)
Questions that can benefit the larger community should be asked in a public forum, not a private message.

User avatar
aebrown
Community Administrator
Posts: 15100
Joined: Tue Nov 27, 2007 8:48 pm
Location: Sandy, Utah

Postby aebrown » Fri Jan 28, 2011 2:28 pm

RussellHltn wrote:That's what I remembered, but I checked before I posted (that's how Ross scooped me)

I played dumb and indicted that I had forgotten my LDS Account name. At that point I'm asked for MRN and Birth Date.

That's all the further I went. It's entirely possible I may have to supply more information to take over an account, but that's all that's needed to start the process.


Well, we're both wrong.

I took the recovery process farther and discovered that the confirmation date is no longer used (although it definitely was once upon a time) to recover a forgotten password when the email address is no longer functioning.

If you need to recover your username, you are prompted to enter your email address, and the username is sent to the registered email address. But if you don't have the email address (have forgotten it, or it no longer works), you can recover your username by doing the following:

  1. Enter your membership record number
  2. Enter your birthdate
  3. If the above data is correct, then you have to answer two security questions correctly.
It's this last step that adds significant extra security against hijacking an account. I tried this process twice, and saw different questions. I don't recall how many security questions I set up originally.

Of course, it's possible that someone who knows me very well might be able to guess my security questions, but they'd have to know me so well that I already trust them and I'm sure they wouldn't hijack my account.
Questions that can benefit the larger community should be asked in a public forum, not a private message.

RossEvans
Senior Member
Posts: 1346
Joined: Wed Jun 11, 2008 8:52 pm
Location: Austin TX
Contact:

Postby RossEvans » Fri Jan 28, 2011 8:01 pm

BTW, while potential security holes related to LDS Account and mobile apps are being closed, I certainly hope this one has been plugged by now. It's been more than a year since I last looked, and I have never been a customer. But I don't know whether the app was ever fixed as promised. That was (is?) a different case not involving the MRN, but sending members' LDS Account credentials (username and password) directly to a third-party vendor's server.

Followups should probably be posted in that thread. But since this new thread has become a roundup of several related security issues, it bears mention here. The case also touches on the original question at the top of this thread regarding the future of the authenticated API and its use by outside parties.

User avatar
aebrown
Community Administrator
Posts: 15100
Joined: Tue Nov 27, 2007 8:48 pm
Location: Sandy, Utah

Postby aebrown » Fri Jan 28, 2011 9:38 pm

RossEvans wrote:BTW, while potential security holes related to LDS Account and mobile apps are being closed, I certainly hope this one has been plugged by now. It's been more than a year since I last looked, and I have never been a customer. But I don't know whether the app was ever fixed as promised. That was (is?) a different case not involving the MRN, but sending members' LDS Account credentials (username and password) directly to a third-party vendor's server.

Followups should probably be posted in that thread. But since this new thread has become a roundup of several related security issues, it bears mention here. The case also touches on the original question at the top of this thread regarding the future of the authenticated API and its use by outside parties.


This thread is already messy enough. I suppose it's okay to put a reminder of that thread here, but please don't pursue that topic in this thread. There's absolutely no reason to continue that discussion here -- continue it in the existing thread.
Questions that can benefit the larger community should be asked in a public forum, not a private message.

User avatar
Mikerowaved
Community Moderators
Posts: 3619
Joined: Sun Dec 23, 2007 12:56 am
Location: Layton, UT

Postby Mikerowaved » Fri Jan 28, 2011 10:00 pm

aebrown wrote:If you need to recover your username, you are prompted to enter your email address, and the username is sent to the registered email address. But if you don't have the email address (have forgotten it, or it no longer works), you can recover your username by doing the following:

  1. Enter your membership record number
  2. Enter your birthdate
  3. If the above data is correct, then you have to answer two security questions correctly.
It's this last step that adds significant extra security against hijacking an account. I tried this process twice, and saw different questions. I don't recall how many security questions I set up originally.

Just a few minutes ago I went through this process with my mother-in-law's LDS Account. Her old email address was no longer valid and she had no idea what her username and password once were, so basically we started with nothing.

Using only her MRN and birthday, I was able to...

  1. Reveal her username
  2. Change her her email address
  3. Change her password
Since she originally had no security questions set up, I was not prompted for any. I was actually surprised how simple it was to accomplish the above with just the information I had.
So we can better help you, please edit your Profile to include your general location.

User avatar
aebrown
Community Administrator
Posts: 15100
Joined: Tue Nov 27, 2007 8:48 pm
Location: Sandy, Utah

Postby aebrown » Fri Jan 28, 2011 10:11 pm

Mikerowaved wrote:Since she originally had no security questions set up, I was not prompted for any. I was actually surprised how simple it was to accomplish the above with just the information I had.


I think I have some faulty memory. Now that I remember things better, I don't think most people have to set up security questions. But it would be a good idea, in my opinion, to require everyone to set up some security questions.

So it really is just a matter of having the MRN and birthday, which strengthens the case for being quite careful with the security of MRNs.
Questions that can benefit the larger community should be asked in a public forum, not a private message.

russellhltn
Community Administrator
Posts: 26394
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

Postby russellhltn » Fri Jan 28, 2011 10:19 pm

aebrown wrote:But it would be a good idea, in my opinion, to require everyone to set up some security questions.


Probably not a bad idea, but this is a "wish list item", is it not? Because I went into my LDS Account and I didn't see anything about security questions there. Since I suffer from CRS (can't remember squat), I'm not sure if I've set any up in the past.
Have you searched the Help Center? Try doing a Google search and adding "site:churchofjesuschrist.org/help" to the search criteria.

So we can better help you, please edit your Profile to include your general location.

User avatar
Mikerowaved
Community Moderators
Posts: 3619
Joined: Sun Dec 23, 2007 12:56 am
Location: Layton, UT

Postby Mikerowaved » Fri Jan 28, 2011 10:50 pm

aebrown wrote:But it would be a good idea, in my opinion, to require everyone to set up some security questions.

To tell you the truth, I can't find that as an option for LDS Account.
So we can better help you, please edit your Profile to include your general location.

User avatar
aebrown
Community Administrator
Posts: 15100
Joined: Tue Nov 27, 2007 8:48 pm
Location: Sandy, Utah

Postby aebrown » Fri Jan 28, 2011 10:55 pm

RussellHltn wrote:Probably not a bad idea, but this is a "wish list item", is it not?


Yes, that's why I said "good idea" -- it's just a suggestion. As I said, most people don't have the security question option, so I wasn't talking about how it works right now.
Questions that can benefit the larger community should be asked in a public forum, not a private message.

russellhltn
Community Administrator
Posts: 26394
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

Postby russellhltn » Fri Jan 28, 2011 10:58 pm

OK, the earlier post left me with the impression it was at least an option for us "normal" users. Apparently not.
Have you searched the Help Center? Try doing a Google search and adding "site:churchofjesuschrist.org/help" to the search criteria.

So we can better help you, please edit your Profile to include your general location.


Return to “Church Account”

Who is online

Users browsing this forum: No registered users and 1 guest