Don't get phished! Says Sonic Support, but no MFA on email?
Posted: Tue Sep 21, 2021 9:29 am
I'm a long time (20 year) Sonic customer. I was surprised (and saddened) to get the "Don't get phished" email the other day from Sonic. It was a stark reminder of the total failure to implement modern authentication on the email system.
It's 2021 for goodness sake. Gmail has had MFA on email for 10 years. All the major providers have MFA.
It is EXTREMELY well documented that bad actors breach email accounts and use the account to reset passwords on other accounts, like banks, credit cards, etc. They use email accounts to phish other contacts. They use it for all kinds of bad stuff. I don't want to lose my accounts tied to Sonic because of this.
I contacted support again about this when I got the "Don't get phished" email and got this reply this morning:
"We do not currently have MFA for sonic email as of yet. One of the difficulties with implementing that is most people use email clients which access the server automatically to update mail. We would have to implement a procedure to restrict that to manual instances in order to implement MFA. As such it isnt easily practical to implement widely. I will pass on your feedback to our team though."..."I would also recommend commenting on the forum regarding this implementation. Our system admins keep an eye on it. I believe there is also a recent thread with regards to this issue."
I know these projects aren't easy, and may cause some inconvenience. However, the inconvenience and risks of having your email account breached is greater, and has been for a long time. Password auth is not viable in this day and age.
I'm glad the SysAdmins read the boards, I hope also the Security team and Dane read it also and can muster the organizational will to fix this issue.
Here's a couple other threads about this, I didn't look very hard and I'm sure there's more...
viewtopic.php?f=5&t=14516
viewtopic.php?f=10&t=16619
Adrian
It's 2021 for goodness sake. Gmail has had MFA on email for 10 years. All the major providers have MFA.
It is EXTREMELY well documented that bad actors breach email accounts and use the account to reset passwords on other accounts, like banks, credit cards, etc. They use email accounts to phish other contacts. They use it for all kinds of bad stuff. I don't want to lose my accounts tied to Sonic because of this.
I contacted support again about this when I got the "Don't get phished" email and got this reply this morning:
"We do not currently have MFA for sonic email as of yet. One of the difficulties with implementing that is most people use email clients which access the server automatically to update mail. We would have to implement a procedure to restrict that to manual instances in order to implement MFA. As such it isnt easily practical to implement widely. I will pass on your feedback to our team though."..."I would also recommend commenting on the forum regarding this implementation. Our system admins keep an eye on it. I believe there is also a recent thread with regards to this issue."
I know these projects aren't easy, and may cause some inconvenience. However, the inconvenience and risks of having your email account breached is greater, and has been for a long time. Password auth is not viable in this day and age.
I'm glad the SysAdmins read the boards, I hope also the Security team and Dane read it also and can muster the organizational will to fix this issue.
Here's a couple other threads about this, I didn't look very hard and I'm sure there's more...
viewtopic.php?f=5&t=14516
viewtopic.php?f=10&t=16619
Adrian