If you’re interested in more protection from identity theft, beware of e-mail address that come from “do not reply” or automated domains. While they could be perfectly harmless, it’s best to follow their directions and do not reply because you don’t know who has access to it. Chipotle, which may make more secure burritos than they do websites these days, is the most recent example of this. The chain of Mexican fast food restaurants had been sending potential employees e-mails from “chipotlehr.com” when Michael Kohlman, an IT expert, discovered that the domain wasn’t registered and bought it for $30.
Kohlman, who was between jobs at the time, discovered the oversight when he applied for a job at the restaurant to fulfill his terms of unemployment. He was curious about the domain when he received a “bounce” message from the e-mail address that told him the e-mail was undeliverable.
Luckily, Kohlman had no malicious intent in buying the domain, and he merely hoped to teach Chipotle a valuable lesson in cyber security. Once Kohlman purchased the domain, he began receiving all e-mails sent to it. While he didn’t receive any that were forthcoming with sensitive information, he explained that he could have used this access to phish for Social Security Numbers or bank account information.
“As someone who has made a big chunk of their career defending against cyber-attackers, I’d rather see Chipotle and others learn from their mistakes rather than cause any real damage,” Kohlman told Krebsonsecurity.com in an interview.
Kohlman has since offered the domain to the company for free, but Chipotle, which only hired their first Chief Information Officer in October, declined. In a statement, Chipotle’s spokesman Chris Arnold said that the company doesn’t see it as a big deal and have since moved all employment-related e-mails to careers.chipotle.com, which is a domain they own.
These unowned domains for e-mails are not uncommon. In 2008, Chet Faliszeck, a Seattle-based programmer, bought the domain “donotreply.com” and gave him access to millions of e-mails, some benign and others from Fortune 500 companies, bank customers and even government personnel.
In one instance, Faliszeck began receiving messages from Capital One customers inquiring about their accounts because Capital One had used the domain as a return address for automated payment transfers and debits. To bring attention to the faulty domain, Faliszeck set up a blog where he posted some of the most interesting e-mails that would, at most, embarrass the companies in question. For Faliszeck to take them down, all companies needed to do was provide a proof of donation to an animal shelter or humane society.
Thankfully, these “no reply” domains are gradually becoming less common for various reasons, some due to security and others in the interest of promoting communication, but many companies are still not as secure as they could be online, especially health care organizations that have been slow to catch up to the digital age.
While websites strive to improve their cyber security strategies, consumers should be extremely selective with the kind of information they share via e-mail. To better safeguard your identity, you can invest in credit monitoring . This can greatly reduce the vulnerabilities to ID theft and provide you with the peace of mind knowing that you’re taking steps to protect your identity.