LUWS Account Security Breach

Share discussions around the Classic Local Unit Website (LUWS).
dmaynes
Member
Posts: 233
Joined: Sat Nov 01, 2008 9:50 am
Location: Pleasant Grove, Utah

LUWS Account Security Breach

Postby dmaynes » Thu Jul 16, 2009 3:56 am

As every Website administrator knows, the security of the LUWS Account depends upon a trust network of individuals who have access to private information. The LDS Account is more secure than the LUWS Account, but the account may still be breached by an individual possessing the private information.

Unfortunately, an LUWS Account has been created for a member of my ward by another individual, who is not a member of my ward. I am now trying decide upon the best course of action.

Any advice would be appreciated.

Thanks,
Dennis

User avatar
aebrown
Community Administrator
Posts: 14691
Joined: Tue Nov 27, 2007 8:48 pm
Location: Sandy, Utah

Postby aebrown » Thu Jul 16, 2009 5:04 am

dmaynes wrote:As every Website administrator knows, the security of the LUWS Account depends upon a trust network of individuals who have access to private information. The LDS Account is more secure than the LUWS Account, but the account may still be breached by an individual possessing the private information.

Unfortunately, an LUWS Account has been created for a member of my ward by another individual, who is not a member of my ward. I am now trying decide upon the best course of action.


Just to clarify, you say "an LUWS Account has been created." I assume you mean "an LDS Account has been created and used to access LUWS," since there is no separate LUWS Account at this point.

I suppose the first question is if the other person created the account with the permission of your ward member. Since you speak of "breach" I imagine the answer is no, but to be complete, the question should be asked.

Assuming the creation of the LDS Account was unauthorized, I would recommend that you work with your ward clerk, who would work with Local Unit Support on this matter. The other alternative would be for the member to use the Contact Support links at ldsaccount.lds.org.

Your ward member could take back the account by going to ldsaccount.lds.org and following the "Can't sign in" steps and specifying a new e-mail address, but the problem is that the other person knows enough information to take control again. There's not much point in such a tug-of-war.

So you need help from someone who can verify the member is really the right person, and take some steps to make sure that the account is restored to the rightful owner and no longer hijacked. That requires specific technical assistance.

dmaynes
Member
Posts: 233
Joined: Sat Nov 01, 2008 9:50 am
Location: Pleasant Grove, Utah

Postby dmaynes » Thu Jul 16, 2009 5:23 am

Alan_Brown wrote:Just to clarify, you say "an LUWS Account has been created." I assume you mean "an LDS Account has been created and used to access LUWS," since there is no separate LUWS Account at this point.


The account was created before the LDS Accounts were introduced. It is an LUWS Account. I am working with the member to create an LDS Account, but this member has never accessed the websites before. Even after the LDS Account is created, the account will not be secure.

Alan_Brown wrote:I suppose the first question is if the other person created the account with the permission of your ward member. Since you speak of "breach" I imagine the answer is no, but to be complete, the question should be asked.


The answer is no. This account was created without the knowledge or the permission of my ward member.

Alan_Brown wrote:Assuming the creation of the LDS Account was unauthorized, I would recommend that you work with your ward clerk, who would work with Local Unit Support on this matter. The other alternative would be for the member to use the Contact Support links at ldsaccount.lds.org.


I will talk with the ward clerk and with the bishop.

Alan_Brown wrote:Your ward member could take back the account by going to ldsaccount.lds.org and following the "Can't sign in" steps and specifying a new e-mail address, but the problem is that the other person knows enough information to take control again. There's not much point in such a tug-of-war.


Exactly! I'm thinking that I will have to disable the account. I think that I also need to disable the display of all information concerning this member from the ward directory. I'm concerned about the security of the ward website and the personal security of the member whose account was hijacked.

I'm wondering if there would be a way to "lock" the LDS Account to prevent a tug-of-war. I realize this is not a current functionality, but I see it as being an important option when untrustworthy individuals have access to the private information that is needed to maintain and create the LDS Account.

Alan_Brown wrote:So you need help from someone who can verify the member is really the right person, and take some steps to make sure that the account is restored to the rightful owner and no longer hijacked. That requires specific technical assistance.


I have already verified the identity of the member and I am already taking steps to wrest control of the account from the imposter.

dmaynes
Member
Posts: 233
Joined: Sat Nov 01, 2008 9:50 am
Location: Pleasant Grove, Utah

Postby dmaynes » Thu Jul 16, 2009 5:28 am

Alan_Brown wrote: Assuming the creation of the LDS Account was unauthorized, I would recommend that you work with your ward clerk, who would work with Local Unit Support on this matter. The other alternative would be for the member to use the Contact Support links at ldsaccount.lds.org.


Are you suggesting that it is possible to create a new MRN for the member?

User avatar
aebrown
Community Administrator
Posts: 14691
Joined: Tue Nov 27, 2007 8:48 pm
Location: Sandy, Utah

Postby aebrown » Thu Jul 16, 2009 5:54 am

dmaynes wrote:Are you suggesting that it is possible to create a new MRN for the member?


No, I didn't mean to imply that at all. I just think that there must some way to stop someone who knows the MRN from hijacking the LDS Account.

lajackson
Community Moderators
Posts: 6138
Joined: Mon Mar 17, 2008 9:27 pm
Location: US

Postby lajackson » Thu Jul 16, 2009 9:23 am

Alan_Brown wrote:I just think that there must some way to stop someone who knows the MRN from hijacking the LDS Account.


But isn't the MRN the key to the account? Retrieving a password, etc.?

If a new login is created for the MRN, would the imposter be able to get into the account without guessing the new login?

lajackson
Community Moderators
Posts: 6138
Joined: Mon Mar 17, 2008 9:27 pm
Location: US

Postby lajackson » Thu Jul 16, 2009 9:28 am

dmaynes wrote:The answer is no. This account was created without the knowledge or the permission of my ward member.

I will talk with the ward clerk and with the bishop.


I think communication between both bishops is very important. The imposter's bishop, especially (and maybe even his stake president). There are some deeper issues here than just the login.

atticusewig
Member
Posts: 308
Joined: Fri Jan 19, 2007 9:48 am

nature of intruder ?

Postby atticusewig » Thu Jul 16, 2009 9:58 am

Is the suspected person who created the account
a family member (or former family member) or did
he gain access to the information because he was
in a position of authority ?

Also, what would be the motive, other than nuisance ?

Unlike a LDSAccount, a LUWS account would only allow
access to the ward website. There really is not much you
can do there except bother the admin with non-sensical
calendar submissions.

In addition to disabling the account, (and removing directory
information, if you suspect physical harm) there is a way
to give her an account if she really, really needs one.

[Edit: Removed method that would violate Church security mechanisms.]

- Atticus

russellhltn
Community Administrator
Posts: 20755
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

Postby russellhltn » Thu Jul 16, 2009 9:59 am

Just for clarification:

What evidence is there that someone has actually created the old LUWS account? From what I gather, the evidence is only that in the creation of a new account for a member, it has been discovered that there's an existing one. Is there any evidence that it's been used? Do you know the identify of the user?

I would not rule out the member had forgotten that they created the account in the past.

Also, LUWS used to use NetID. NetID was used for church sites other than LUWS. Current examples include Employment Resource Database, Perpetual Education Fund, and MTC Referral Manager. Perhaps the NetID account was created for one of those other sites and there is no impersonation at all.

However, this does bring up a good point. Currently, anyone who knows the MRN and Confirmation Date of a member can take control of a LDS Account. If there is a way to prevent this, we haven't heard about it yet.
Have you searched the Wiki?
Try using a Google search by adding "site:tech.lds.org/wiki" to the search criteria.

User avatar
mkmurray
Senior Member
Posts: 3241
Joined: Tue Jan 23, 2007 9:56 pm
Location: Utah
Contact:

Postby mkmurray » Thu Jul 16, 2009 10:16 am

RussellHltn wrote:Currently, anyone who knows the MRN and Confirmation Date of a member...

Actually, that's changed. Now it's just MRN and birthdate.
Many questions are already answered on the LDSTech wiki. Check it out!


Return to “Classic Ward & Stake Sites (LUWS)”

Who is online

Users browsing this forum: No registered users and 1 guest