Facebook teams up with Yahoo to create safe email standard
A new email standard called RRVS (Require-Recipient-Valid-Since) has been unveiled by Facebook. The new standard comes through the social network working in conjunction with Yahoo, and is designed to protect users against potential account hijacking.
It's now over a year since Yahoo decided that the time had come to start recycling email addresses that had lain dormant and unused. Concerns were voiced that little used email addresses could end up falling into the wrong hands and be used for nefarious purposes. With email addresses used for much more than just email communication -- often doubling up as login credentials -- the need for security in this area is apparent.
Yahoo's email address recycling was something Facebook watched closely. "If a Facebook account were connected to a recycled Yahoo email address, that account could be taken over by the new Yahoo account owner via a password change request if no additional protections were in place," says Facebook software engineer Murray Kucherawy. RRVS is essentially an extension to the SMTP standard which increases security by double-checking when the ownership of a given email address was last known:
Working with our counterparts at Yahoo, we quickly proposed and prototyped an enhancement to email that mitigates this problem. The enhancement inserts a timestamp within an email message to indicate when we last confirmed the ownership of a Yahoo account. If the account changed hands since our last confirmation, Yahoo can just drop the message, preventing delivery of sensitive messages to the wrong hands.
While at the moment the standard only involves Yahoo and Facebook, details have been published so that others can work to combat the problem of account hijacking.