Hi to everyone!
I'm new here. Someone told me that Habr is like russian reddit for developers (and maybe not). And I'm here today to share my story and get opinions from you, part of this community.
In August 2024 I visited Moscow, and got Russian starter pack, even if foreigner :-)
Will be useful later because I'm moving here, Русский язык coming soon, извините!
So let's start with getting a new bank account, make a new mobile number and start to register to some essential service platforms like Metro, Gorod, ВВ, Perekrostak and Yandex for delivery and taxis. And in every service I found something strange. A certain "Ivan" (I've changed the name for privacy) is present in all my accounts where I try to register.
That's it! The phone number that my bank gave me was just.... recyled! So I could start to get personal data through all these existing account on this new phone number of mine but the most shocking thing occured today!
Alarm on 9:00, I woke up and I got a message by Yandex:
Nice! I tried immediately to understand what is going on and imagine what Yandex though to develop in their splendid system?
TADAAAA! Let's try to tear it down:
There's the phone number and we'll call it magic_phone_number
There's me and we'll call me user_2
And there's Ivan and we'll call him user_1
So
user_1registers on Yandex usingmagic_phone_numberuser_1throws his number anduser_2get ituser_2registers a new profile usingmagic_phone_numberuser_2is not informed by Yandex about existency of profile ofuser_1and decide to link profiles under the same SSO useruser_1have still access to his account because meanwhile he added secondary phone number to it's profile
Now bothuser_1anduser_2can access to same SSO user, watch personal data, delivery history, taxi history and all documents that should be safely store by Yandexuser_1can order a taxi or a pizza withuser_2's saved debit card and viceversa
Things that I can do:
Of course first thing that I can do is to just delete the profile and forget everything but that not how I was raised! It's question of principles!
Let's try to remove magic_phone_number from user_1's profile
No.... It doesn't seem an option at all, I want just to remove magic_phone_number from user_1's profile.
Let's continue, what about 2FA? Still the same, will be active for both profiles and maybe it will require only main number or maybe not and even if I will lock out the poor user_1from his account.
There's apparently no way to unlink accounts GREAT JOB
And you? What do you think? Is it worse the fact that mobile numbers are widely recycled or that platforms are using phone numbers as primary authentication method which fails in uniqueness in favor of semplicity? What should I do now? Try to contact Yandex? Change number and re-register on Yandex and all websites?
P.S. Ivan stole almost all my FIRST_ORDER_PROMO_CODE in the principal supermarkets :-(
