Old Unwanted Internet Accounts are a Pain

  • Thread starter anorlunda
  • Start date
  • #1
anorlunda
Staff Emeritus
Insights Author
9,012
5,924
My password manager (Lastpass) just reminded me that I have more than 100 accounts that are "old", meaning that I have not used them for a year or more. For example, in the years that I lived on a boat, I bought from BoatUS almost every week, and I received substantial cash back rewards as an incentive for being a member. But things change, and I haven't used BoatUS since 2017.

What are the risks?
  • They might have credit card info or other personal info. The longer it sits there, the more exposure there it for it to be stolen. (My bank forces me to change credit card numbers once a year. That causes its own problems because the change breaks all the bill autopay arrangements I set up, and if I miss one, I get nasty letters saying that my payments are late.)
  • They might have passwords re-used on other sites. (Fortunately, Lastpass detects reused passwords and it reminds me of that separately.)
I could visit those site and review the information, and perhaps change the passwords, and seed them with false personal info. But that's a lot of work. And I would need to redo that security review every year unless I kept detailed records on the security status of all my old accounts. That would be a waste of time for unwanted accounts. It would be better to just delete them.

After trying to delete my accounts on several sites, I realize that account deletion is not a supported feature on most web sites. (Even PF is the same. You can send and email to @Greg Bernhardt, but there is no button to click to permanently delete an account. PF has a good reason, since the archive of past posts is important.) Commercial sites do not have a good reason to keep my personal info and passwords after I stop doing business with them.

I think an account delete function should be standard on most web sites. We can't realistically force that via government regulation. It would have to become an industry best practice promulgated by trade associations.
 
  • Like
Likes Vanadium 50 and symbolipoint

Answers and Replies

  • #2
DavidSnider
Gold Member
500
141
I've always thought some sort of personal info brokering service would be a good idea. These couldn't really prevent leaks if you have to ship something, but you can at least show some good faith that you respect the customer's wishes by having your company use such services.

There should be a sensible way to balance this and not have it be used for bad things like laundering.
 
  • #3
12,366
6,113
Sadly, while you may feel the companies have no need of your data after you no longer do business with them, you would be wrong as they market what they know about you to affiliated companies and so your data has value to them.

I do believe there should be an acct delete feature somewhere but also realize that should you get hacked the hacker may mess things up by deleting your acct. There was that one notable case with the security journalist MAtt Honan where hackers broke in.

In the space of one hour, my entire digital life was destroyed. First my Google account was taken over, then deleted. Next my Twitter account was compromised, and used as a platform to broadcast racist and homophobic messages. And worst of all, my AppleID account was broken into, and my hackers used it to remotely erase all of the data on my iPhone, iPad, and MacBook.

https://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/
 
  • #4
Vanadium 50
Staff Emeritus
Science Advisor
Education Advisor
26,102
9,469
  • Love
  • Like
Likes harborsparrow and jedishrfu
  • #6
290
154
I think there are two parts here to consider:

1) Acount Deletion.
2) Data Erasure.

Deleting your account is straight forward, it's a basically just a "front door" into the data held by companies which can be locked / removed to prevent access using your account. The data behind it though is likely held in various databases, some with interdependancies with each others and trying to track down every last bit of "your data" on any system is no trivial task let alone removing it all.

On top of this even if it wuld be removed from "current systems," there are data backups to consider. Thre is no reasonable way to remove data from a backup without restoring the system to an old state when the backup was taken, removing just "your data" and re-backing it up again. This is just not practical for each bit of data removal from each system.

Unfortunately once your data is out there, it's likely out there for a long time until those backups are no longer required and over-written.
 
  • Like
Likes davenn and jedishrfu
  • #7
anorlunda
Staff Emeritus
Insights Author
9,012
5,924
Unfortunately once your data is out there, it's likely out there for a long time until those backups are no longer required and over-written.
I agree. But there is one additional risk associated with old but active accounts. That is a hacker could use the account to order stuff to be shipped to him with the bill coming to me.
 
  • Like
Likes jedishrfu
  • #8
DavidSnider
Gold Member
500
141
if you’re primarily concerned with people ordering on your behalf most Credit card companies have proxy cards you can activate / deactivate at your will.
 
  • Like
Likes anorlunda
  • #9
etotheipi
Gold Member
2020 Award
3,157
2,115
By the way, you can check for online accounts of yours that have been involved in data breaches here:
https://haveibeenpwned.com/
Useful site, you can also sign up to be notified whenever a new breach occurs.
 
  • Like
Likes anorlunda
  • #10
jtbell
Mentor
15,716
3,842
Cueing the theme from Gilligans Isle
But they were actually on the boat only for that three-hour cruise. Or part of it, anyway. :wink:
 
  • #11
12,366
6,113
But they were actually on the boat only for that three-hour cruise. Or part of it, anyway. :wink:
What could go wrong? :-) Murphy acts in mysterious ways to bring a great tv show.
 
  • #12
harborsparrow
Gold Member
602
150
This won't fix the past--but for the present and future, I recommend you pick a couple of payment platforms (I use Google, Amazon and Paypal) and stick with only those. Any website demanding a payment from me MUST use one of those platforms, because I refuse to give my credit card info to small, third-party websites whose data security policies are unknown.

I do know that Paypal, Google and Amazon put HUGE amounts of effort into keeping customer information locked down.

I adopted this policy after my credit card was stolen online one year (it was actually after a purchase at Walmart--I knew it was Walmart--reported to police, Walmart denied it, then after a year Walmart was "outed" and they had continued to allow millions of customers to have their credit information stolen). After that, I got serious.

I have two emails--a Yahoo! account that I use for casual logons that I don't really want, and my Gmail account for logons I *do* want. And no payments directly by credit card, ever--only through one of the three payment services.

Yes, this has meant that, occasionally, I will not give to a GoFundMe or local non-profit. I sometimes contact them and try to explain that they need to accept one of the payment services to get a donation from me, and that the reason is security. They sometimes respond by adding, say, Paypal.

Anyway, I do cancel old unused accounts when I can, but as you noted, it's often more trouble than it's worth, sometimes requiring a call-in that can take a long time on hold.
 
  • Like
Likes jedishrfu and anorlunda
  • #13
anorlunda
Staff Emeritus
Insights Author
9,012
5,924
I do know that Paypal, Google and Amazon put HUGE amounts of effort into keeping customer information locked down.
That is an excellent point that I never considered before. I may rethink my own habits.

But that same dichotomy also exists with offline transactions, such as at a store. These various e-pay systems that let you wave your phone at the register. They may have the potential to be more secure than use of a credit or debit card. But potentially more secure is not the same as actually more secure.

As consumers, we don't have the ability to do a security audit on our service providers, so it all comes down to trust. There is some validity to trusting famous names like Paypal, Google, Amazon, Apple, because if they are careless, it would make headlines in the news. But Visa and Mastercard are also famous names, and credit cards indemnify us from loss due to fraud. Their customer service phone numbers become part of the security, because I can call and dispute a charge.

I would like to see an article from a trusted expert like Bruce Schneier comparing the security of e-pay methods with traditional cards, both for online and offline transactions.
 
  • Like
Likes harborsparrow
  • #14
Wrichik Basu
Insights Author
Gold Member
2020 Award
1,624
1,511
And no payments directly by credit card, ever--only through one of the three payment services.
Here in India, whenever we pay using credit card directly, we have to put two numbers that the payment gateway does not (or should not) store — the CVV and an OTP. The CVV is a three digit number comes with the card and cannot be changed; it expires when the card expires. The gateway may save the card details like card number, expiry date, etc. but not the CVV. Once it is entered, we are taken to our bank's website where we have to put in the OTP that is sent to our registered mobile number. This concludes the transaction. Even if I consider the case where a keylogger steals the CVV, they will not be able to make a purchase unless they get the OTP.

Only two gateways do not follow this process — Paypal and Google. We generally do not use Google; if we do, it is mainly for purchases on Google Play, and we remove the card soon after the purchase is complete.
 
  • Like
Likes harborsparrow and jedishrfu
  • #15
harborsparrow
Gold Member
602
150
...Visa and Mastercard are also famous names, and credit cards indemnify us from loss due to fraud. Their customer service phone numbers become part of the security, because I can call and dispute a charge.
The older wisdom was that credit cards do provide legal protection in case you need a refund. However, most places now (or so I have found) are pretty good about giving refunds if needed, and so unless it's a very large transaction, I stick with the payment services.

The point is, the unbelievable hassle one gets from having one's credit card stolen is terrible. And then, you have to worry for years afterwards about your entire identity being hi-jacked. THAT was the worry that changed my habits away from using a credit card in lots of places.
 
  • #16
Where it's supported, I delete my card details after I finish a transaction. I'd rather re-enter the details whenever needed. One vendor deletes automatically, after a period to cover refunds and the like. Some don’t offer an option to delete and I wish they did.

I do not reuse passwords. If I decide to be lazy for a website that requires that I replace an expired password on their system and the password is already especially long, I’ll make a small change, because the small change can cascade into a big change in the encrypted form.

I do not use a password storage system in which a single password is a point of vulnerability, because if someone cracks it, they can get all of the other passwords.

Using false information in one’s identity or biography may violate terms. Sometimes, that has a sanction.

Security Q&As are an annoyance. I can't be sure that some database out there doesn't have my first pet's name (which, by the way, I forgot). For Q&As, I give fictional answers, so that something like "what's your sister's name?" is answered with something like "742748-fictional-6592647". Then they can sell my sister's name and I told them it's fictional so that should eliminate any issue with my giving false info. If I can create the question, it might be something like "why do elephants go spelunking on Tuesdays?", answered as "37 frying pans per twig". But Q&A systems are a serious vulnerability and I think one website I use dropped the system.

I don’t think most privacy policies are the least bit binding, so I don’t bother reading most of them or relying on privacy. My own websites are explicit about not giving privacy.

Terms are binding and I read them. I have sometimes refused to have a relationship with a website specifically because of the terms.

Account deletion should be an option. I think some websites decline to offer it because they hope you'll reactivate yours and because the statistic of humongous numbers of accounts increases the site's value for advertising and for sale of the website.

Free email accounts are generally deleted after a period of not using your login (perhaps a few months or a year), then perhaps reopened some months later but with a new password not disclosed to the original holder, then closed again for good; the reopening is to use the address as a spam honeypot, because your friends et al. presumably are not using that address anymore.

Historical record preservation is possible even with an account being closed by a website; all they have to do is disable your password, which one site did to me along with changing my username when I insisted on closing my account (that was good enough for me). They could, for example, store the data under the username but not allow any password to work except by an admin.

One site, when I discovered that not only am I responsible for whatever is done under my login (I knew that before and accepted that) but that they transmit my password in plaintext over the Internet, said it's illegal for them to close an account. I suspect their own customer service representative (reached via the CEO) was a lawyer who had a more helpful view of the law.

Another place suggested they don't know how to close an account. I reminded them it's generally done by deleting a row from a database table (a more sophisticated way is by adding a field for disabling the account even with a password so only the IT staff can enable it again) and they might have manuals to tell them how. But also I suggested they could send me all of their servers, mirrors, and backups so I could do it and then I would return everything for a fee to be negotiated when I'm done; that inspired them to close the account without my help.
 
  • Like
Likes anorlunda
  • #17
Tom.G
Science Advisor
3,624
2,341
...I would return everything for a fee to be negotiated when I'm done;...
Plus shipping I presume. :wink::wink:
 
  • #18
DaveC426913
Gold Member
19,093
2,599
But things change, and I haven't used BoatUS since 2017.
You have this whole thing backwards.

The best way to remedy your problem is to get another boat.
 
  • Like
  • Love
Likes Wrichik Basu, Vanadium 50, anorlunda and 1 other person

Related Threads on Old Unwanted Internet Accounts are a Pain

Replies
6
Views
3K
  • Last Post
Replies
9
Views
3K
  • Last Post
Replies
9
Views
2K
Replies
4
Views
2K
  • Last Post
Replies
6
Views
1K
  • Last Post
Replies
1
Views
1K
  • Last Post
Replies
16
Views
4K
  • Last Post
Replies
22
Views
5K
  • Last Post
Replies
8
Views
2K
Top