Your privacy on Nokia Ovi Store

Published on:

My friend Adam Greenfield recently complained about the over-engineering culture at Nokia:

I was given an NFC phone, and told to tap it against the item I wanted from the vending machine. This is what happened next: the vending machine teeped, and the phone teeped, and six or seven seconds later a notification popped up on its screen. It was an incoming text message, which had been sent by the vending machine at the moment I tapped my phone against it. I had to respond “Y” to this text to complete the transaction. The experience was clumsy and joyless and not in any conceivable way an improvement over pumping coins into the soda machine just the way I did quarters into Defender at the age of twelve.

It’s not that the NFC-based, phone-to-object interaction didn’t work. Of course it did: it had been engineered perfectly. But what it hadn’t been was designed. Those responsible for imagining the interaction apparently wanted to protect users against the (edge case!) contingency of someone making off with their phones and running up a huge vending-machine tab.

Today, I found out that the Nokia Ovi Store team could actually learn a few things about privacy and security from their engineers.

Yesterday, I received the following email on one of my personal addresses (name changed to protect the guy who used my email address to register):


Date: Thu, 24 Feb 2011 12:18:17 +0000 (UTC)
From: Nokia account
To: francois_@…
Subject: Welcome to your Nokia account


Hello Francoisxyz, and welcome aboard!

To experience the full suite of Ovi services, all you need to do is visit http://www.ovi.com. Alternatively, if you would like to update your Nokia account details, please visit https://account.nokia.com.

Please verify your email address by clicking the link below:

https://account.nokia.com/acct/verifyEmail?id=_____&lang=en

If clicking the link does not work, copy and paste the URL in a new browser window instead.

Thank you for joining and we hope you enjoy using Nokia services.

All the best,
Your friends at Nokia
http://www.ovi.com

Someone had used my email address to register on Ovi. The confirmation email looked quite standard and I ignored it, thinking that the registration wouldn't go through without my confirmation. (I receive a certain number of similar emails, I guess it's the price to pay for being among the first to grab my first name on popular services.)

Then today, I received this from NokiaMusic-no-reply@nokia.com:

Welcome to Music

Hi Francoisxyz,

Welcome to Ovi, the place to discover and download new music. Make sure you put this email somewhere safe because you'll need it in case you forget your Nokia account username - Francoisxyz. You won't be able to log into Music or any of the other Ovi services without it.

Your music, your way

There are millions of tracks from today's top artists and the legends of yesteryear on Ovi, spanning everything from dance to classical to rock. It's easy to get started - you can search for specific tracks, albums and artists or simply click through the genres, charts and playlists to see what's hot. If you want to know more about exploring music on Ovi, check out our help and troubleshooting page.

We're glad to have you with us.

What. The. F…! I immediately requested a password reset, which was nicely delivered to (you guessed it) my email address, and logged in to account.nokia.com to delete this profile. What I discovered at this point is that the profile was already filled in with the guy's real name, mobile phone number, country of residence, and various other personal information (I noted he likes being spammed since he authorized Nokia to send him any promotional info by both email and SMS). It took me about 10 seconds to find his Facebook profile and remind him that he should be a bit more careful when (ab)using someone else's email address.

As for Nokia, especially for a platform that wants to compete with the Apple App Store, this is appalling. Anyone who has a vague idea about security and privacy would not design a process where one can complete a registration process with a fake email address or worse, in this case someone else's address with the obvious risk — that I just illustrated — that personal information might be passed to a stranger.

If these examples are typical of the way Nokia designs things nowadays, I'm not betting on the wedding with Microsoft to stop that platform from burning.

Now let's see how long it takes for Nokia, which I'm sure cares about their customers privacy, to fix that security issue in their registration process…

[Update 28 Feb. 2011] I'm not sure whether the Nokia folks really understand the problem. Case in point, this tweet from @NokiaHelps:

@ubiquitic Account registration is verified either by email or tel. no. depending on selection during account registration. ^JR

I've proved above that Nokia does NOT verify the email address, no matter what they say. And verification by phone number does not alleviate the problem if, when the registrant has entered someone else's email address by mistake, the later receives the acknowledgment emails I have received and which allowed me to gain access to — and delete — an account that didn't belong to me.

Let me summarize the problem for short attention-span marketing/support folks:

If someone enters a wrong email address in their Nokia profile, anyone receiving the “confirmation” emails from Nokia will be able to highjack the account.

Is that clearer ?