LUWS Account Security Breach
-
- Member
- Posts: 233
- Joined: Sat Nov 01, 2008 10:50 am
- Location: Pleasant Grove, Utah
LUWS Account Security Breach
As every Website administrator knows, the security of the LUWS Account depends upon a trust network of individuals who have access to private information. The LDS Account is more secure than the LUWS Account, but the account may still be breached by an individual possessing the private information.
Unfortunately, an LUWS Account has been created for a member of my ward by another individual, who is not a member of my ward. I am now trying decide upon the best course of action.
Any advice would be appreciated.
Thanks,
Dennis
Unfortunately, an LUWS Account has been created for a member of my ward by another individual, who is not a member of my ward. I am now trying decide upon the best course of action.
Any advice would be appreciated.
Thanks,
Dennis
- aebrown
- Community Administrator
- Posts: 15153
- Joined: Tue Nov 27, 2007 8:48 pm
- Location: Draper, Utah
Just to clarify, you say "an LUWS Account has been created." I assume you mean "an LDS Account has been created and used to access LUWS," since there is no separate LUWS Account at this point.dmaynes wrote:As every Website administrator knows, the security of the LUWS Account depends upon a trust network of individuals who have access to private information. The LDS Account is more secure than the LUWS Account, but the account may still be breached by an individual possessing the private information.
Unfortunately, an LUWS Account has been created for a member of my ward by another individual, who is not a member of my ward. I am now trying decide upon the best course of action.
I suppose the first question is if the other person created the account with the permission of your ward member. Since you speak of "breach" I imagine the answer is no, but to be complete, the question should be asked.
Assuming the creation of the LDS Account was unauthorized, I would recommend that you work with your ward clerk, who would work with Local Unit Support on this matter. The other alternative would be for the member to use the Contact Support links at ldsaccount.lds.org.
Your ward member could take back the account by going to ldsaccount.lds.org and following the "Can't sign in" steps and specifying a new e-mail address, but the problem is that the other person knows enough information to take control again. There's not much point in such a tug-of-war.
So you need help from someone who can verify the member is really the right person, and take some steps to make sure that the account is restored to the rightful owner and no longer hijacked. That requires specific technical assistance.
-
- Member
- Posts: 233
- Joined: Sat Nov 01, 2008 10:50 am
- Location: Pleasant Grove, Utah
The account was created before the LDS Accounts were introduced. It is an LUWS Account. I am working with the member to create an LDS Account, but this member has never accessed the websites before. Even after the LDS Account is created, the account will not be secure.Alan_Brown wrote:Just to clarify, you say "an LUWS Account has been created." I assume you mean "an LDS Account has been created and used to access LUWS," since there is no separate LUWS Account at this point.
The answer is no. This account was created without the knowledge or the permission of my ward member.Alan_Brown wrote:I suppose the first question is if the other person created the account with the permission of your ward member. Since you speak of "breach" I imagine the answer is no, but to be complete, the question should be asked.
I will talk with the ward clerk and with the bishop.Alan_Brown wrote:Assuming the creation of the LDS Account was unauthorized, I would recommend that you work with your ward clerk, who would work with Local Unit Support on this matter. The other alternative would be for the member to use the Contact Support links at ldsaccount.lds.org.
Exactly! I'm thinking that I will have to disable the account. I think that I also need to disable the display of all information concerning this member from the ward directory. I'm concerned about the security of the ward website and the personal security of the member whose account was hijacked.Alan_Brown wrote:Your ward member could take back the account by going to ldsaccount.lds.org and following the "Can't sign in" steps and specifying a new e-mail address, but the problem is that the other person knows enough information to take control again. There's not much point in such a tug-of-war.
I'm wondering if there would be a way to "lock" the LDS Account to prevent a tug-of-war. I realize this is not a current functionality, but I see it as being an important option when untrustworthy individuals have access to the private information that is needed to maintain and create the LDS Account.
I have already verified the identity of the member and I am already taking steps to wrest control of the account from the imposter.Alan_Brown wrote:So you need help from someone who can verify the member is really the right person, and take some steps to make sure that the account is restored to the rightful owner and no longer hijacked. That requires specific technical assistance.
-
- Member
- Posts: 233
- Joined: Sat Nov 01, 2008 10:50 am
- Location: Pleasant Grove, Utah
Are you suggesting that it is possible to create a new MRN for the member?Alan_Brown wrote: Assuming the creation of the LDS Account was unauthorized, I would recommend that you work with your ward clerk, who would work with Local Unit Support on this matter. The other alternative would be for the member to use the Contact Support links at ldsaccount.lds.org.
- aebrown
- Community Administrator
- Posts: 15153
- Joined: Tue Nov 27, 2007 8:48 pm
- Location: Draper, Utah
-
- Community Moderators
- Posts: 11479
- Joined: Mon Mar 17, 2008 10:27 pm
- Location: US
Alan_Brown wrote:I just think that there must some way to stop someone who knows the MRN from hijacking the LDS Account.
But isn't the MRN the key to the account? Retrieving a password, etc.?
If a new login is created for the MRN, would the imposter be able to get into the account without guessing the new login?
-
- Community Moderators
- Posts: 11479
- Joined: Mon Mar 17, 2008 10:27 pm
- Location: US
dmaynes wrote:The answer is no. This account was created without the knowledge or the permission of my ward member.
I will talk with the ward clerk and with the bishop.
I think communication between both bishops is very important. The imposter's bishop, especially (and maybe even his stake president). There are some deeper issues here than just the login.
-
- Member
- Posts: 308
- Joined: Fri Jan 19, 2007 9:48 am
nature of intruder ?
Is the suspected person who created the account
a family member (or former family member) or did
he gain access to the information because he was
in a position of authority ?
Also, what would be the motive, other than nuisance ?
Unlike a LDSAccount, a LUWS account would only allow
access to the ward website. There really is not much you
can do there except bother the admin with non-sensical
calendar submissions.
In addition to disabling the account, (and removing directory
information, if you suspect physical harm) there is a way
to give her an account if she really, really needs one.
[Edit: Removed method that would violate Church security mechanisms.]
- Atticus
a family member (or former family member) or did
he gain access to the information because he was
in a position of authority ?
Also, what would be the motive, other than nuisance ?
Unlike a LDSAccount, a LUWS account would only allow
access to the ward website. There really is not much you
can do there except bother the admin with non-sensical
calendar submissions.
In addition to disabling the account, (and removing directory
information, if you suspect physical harm) there is a way
to give her an account if she really, really needs one.
[Edit: Removed method that would violate Church security mechanisms.]
- Atticus
-
- Community Administrator
- Posts: 34505
- Joined: Sat Jan 20, 2007 2:53 pm
- Location: U.S.
Just for clarification:
What evidence is there that someone has actually created the old LUWS account? From what I gather, the evidence is only that in the creation of a new account for a member, it has been discovered that there's an existing one. Is there any evidence that it's been used? Do you know the identify of the user?
I would not rule out the member had forgotten that they created the account in the past.
Also, LUWS used to use NetID. NetID was used for church sites other than LUWS. Current examples include Employment Resource Database, Perpetual Education Fund, and MTC Referral Manager. Perhaps the NetID account was created for one of those other sites and there is no impersonation at all.
However, this does bring up a good point. Currently, anyone who knows the MRN and Confirmation Date of a member can take control of a LDS Account. If there is a way to prevent this, we haven't heard about it yet.
What evidence is there that someone has actually created the old LUWS account? From what I gather, the evidence is only that in the creation of a new account for a member, it has been discovered that there's an existing one. Is there any evidence that it's been used? Do you know the identify of the user?
I would not rule out the member had forgotten that they created the account in the past.
Also, LUWS used to use NetID. NetID was used for church sites other than LUWS. Current examples include Employment Resource Database, Perpetual Education Fund, and MTC Referral Manager. Perhaps the NetID account was created for one of those other sites and there is no impersonation at all.
However, this does bring up a good point. Currently, anyone who knows the MRN and Confirmation Date of a member can take control of a LDS Account. If there is a way to prevent this, we haven't heard about it yet.
Have you searched the Help Center? Try doing a Google search and adding "site:churchofjesuschrist.org/help" to the search criteria.
So we can better help you, please edit your Profile to include your general location.
So we can better help you, please edit your Profile to include your general location.
- mkmurray
- Senior Member
- Posts: 3266
- Joined: Tue Jan 23, 2007 9:56 pm
- Location: Utah
- Contact: