* Case Number: a20160616.1 * Status: closed * Claimant: Stephen Z * Respondent: CAcert * initial Case Manager: EvaStöwe * Case Manager: PietStarreveld * Supervisor (CM): PhilippDunkel * Arbitrator: EvaStöwe * Date of arbitration start: 2016-06-16 * Date of ruling: 2016-06-18 * Case closed: 2016-06-18 * Complaint: possible hack of account * Relief: close account or reset PW Before: Arbitrator EvaStöwe (A), Respondent: CAcert (R), Claimant: Stephen Z (C), Case: a20160616.1 <> == History Log == . 2016-06-16 (issue.c.o): case [s20160616.62] . 2016-06-16 (iCM): added to wiki, request for CM / A . 2016-06-16 (iCM): informs C about case . 2016-06-16 (PietStarreveld): will take case as CM and select EvaStöwe as A . 2016-06-16 A: hand over supervision over CM training PietStarreveld to PhilippDunkel . 2016-06-16 (CM): Arbitration case a20160616.1 init mailing . 2016-06-16 (A): Requests Support to supply relevant account information . 2016-06-16 (Support): Supplies relevant account information to A . 2016-06-16 (A): Requests Support to supply additional account information . 2016-06-16 (C): Confirms regaining access to account . 2016-06-16 (Support): Supplies additional account information to A . 2016-06-16 (A): Requests Critical team to perform additional checks . 2016-06-16 (A): Reminds Critical team to send privacy relevant data encrypted and to A, CM and Supervisor only . 2016-06-17 (A): Reminds Critical team to reply soon given the nature and circumstances of the case . 2016-06-18 (Critical Team): Provides information requested by A . 2016-06-18 (A): Replies to Critical Team and announces next steps . 2016-06-18 (A): Requests Support to provide the information since last accessing the account . 2016-06-18 (Support): Replies to A with requested additional information . 2016-06-18 (Critical Team): Provides summary of events and further analysis to A as requested . 2016-06-18 (A): Thanks Critical Team and agrees with their analysis . 2016-06-18 (A): ruling; explains investigation and its results to C . 2016-06-18 (A): Thanks Support and advises them to verify the absense of possible other cases of irregular access around the time the issue started . 2016-06-18 (CM): Closes case == Private Part == * '''Link to Arbitration case [[Arbitrations/priv/a20160616.1|a20160616.1 (Private Part)]], Access for (CM) + (A) only''' ## ==> INCLUDE SECTION BOT <> ## <== INCLUDE SECTION EOT ==== EOT Private Part ==== == Original Dispute == {{{ Please close this account. It has been hacked and I cannot recover the password. Or please reset the password so I can close the account. }}} == Discovery == === original situation === The dispute was a reply to a mail which the CAcert system sends to the primary email address of an account when a certificate for that account is created. The claimant mentioned that * his account was hacked, * that he could not log in because of changed password * because of this he asked to get the account closed or to provide him access to the account so that he could close it himself As this was as a reply to a certificate-creation mail, it seems that a certificate was created in the account of the claimant at a time where he did not expect this. There were three aspects to cover 1. If there was an attack to an account and if yes if this was only about this account or a general attack to CAcert 1. Clarify if the certificate-creation mail is genuine 1. Identify the account and the owner of the acount 1. Decide about access to account (after clarification of ownership) 1. Decide about revocation of certificate 1. Decide about closure of account === results of research === With the help of support the following was established: 1. The claimant was sending from the primary email address of the account 1. The domain for the certificate is a sub-domain from that account 1. The certificate number presented in the certificate-creation mail links to the account of the user 1. The certificate from the certificate-creation mail seems to be listed in the account 1. No recent changes or other activity visible in the account, this includes pw-resets and certificate creation Additionally the claimant had managed to gain access to the account via the 5 questions for password/account recovery and that the password was changed, afterwards. The claimant also expressed to be happy to have the access to the account restored. The claimant does not seem to want to close the account, any more. (Not verified.) With the help of criticl team the following was established: 1. certificate seems to be genuine and is one of those listed in the account 1. at some time after creation, the account was accessed via correct password and a. account entries were added or changed including the password a. a certificate was issued 1. after the certificate had expired the account was accessed again with correct password and the certificate was renewed The claimant contacted support because of the automated mail send by this renewal of the certificate, because he was not able to access the account because of the changed password. Further was established: After the claimant re-gaind access, he was able to clean up the account. The claimant also revoked the certificate in question. === answers to original questions === 1. If there was an attack to an account and if yes if this was only about this account or a general attack to CAcert * It seems that someone who is not the claimant gained access to the account via correct password. * There was no indication for a general attack on CAcert. 1. Clarify if the certificate-creation mail is genuine * It was genuine. 1. Identify the account and the owner of the acount * The claimant seems to be the owner of the account, as he was sending from the primary email address of that account and also stated to have gained access to the account via the secret questions. (Not further verified) 1. Decide about access to account (after clarification of ownership) * Obsolete as claimant (owner) managed to recover the access to the account and also had changed the password, to prevent that the attacker can access the account. 1. Decide about revocation of certificate * Obsolte as done by claimant. 1. Decide about closure of account * Obsolete as claimant now seems to want to keep the account. == Ruling == {{{ I hereby come to the following ruling: Someone was able to access the account of the claimant via a correct password and afterwards changed the password and issued the certificate in question. There was no indication for a general attack on CAcert. The claimant was able to regain access to the account by identifyinghimself as owner of the account via the 5 questions. Afterwards hecorrected incorrect entries, changed the password and revoked the certificate. By this no further activities regarding the account is necessary. As the last mail from the claimant indicated that he wants to keep the account no steps for closing the account will be done, as this does not seem to be necessary. If the claimant wants to have the account closed, he should address CAcert support with an according request, again. Nothing in this case would block a closure, so that support could close the account with normal processes, if this is the wish of the claimant. }}} == Execution == . 2016-06-18 (A): ruling == Similiar Cases == ## || [[Arbitrations/a20YYMMDD.n|a20YYMMDD.n]] || [[Arbitrations/a20YYMMDD.n|]] || || [[Arbitrations/a20120324.1|a20120324.1]] || [[Arbitrations/a20120324.1|Valid certificate revoked?]] || ---- . CategoryArbitration . CategoryArbCaseAccountDelAssurer . CategoryArbCaseAccountDelNonAssurer . CategoryArbCaseAccountCleanup . CategoryArbCaseSystemTasks . CategoryArbCaseOthers