I have been on a mission as of late to migrate all of my login details for account’s I use email from one domain name I have to another. I decided to stop using the main domain name I have been using for years. One of the main drivers was cost. It’s pretty expensive each year to own it. It is a country specific one and not cheap like a .com. It is also no longer as relevant for me. I loved its simplicity. It just didn’t make sense to keep having it long term. It is paid for through 2021 or something. I have time to confirm I’ve captured every account and moved it.
In the process of doing this I am also closing accounts I don’t need anymore. It’s a great spring cleaning in the autumn. I originally wrote this in the fall of 2019.
When I attempted to change the email address I used with NordVPN I realized they do not have an option to do that in their online portal. I have come across this issue a bunch of times going through this change process. Eventhough it’s annoying I typically open a case to request a change and its done pretty quickly.
For my own security reasons I use a unique email address for every account that I create online. This allows me to know when my information is being sold or if an email is authentic. It also protects me if one provider is compromised and the account details are sold or published online. There’s lots of times where I recieve a message that looks semi-legitimate. It is only when I look and see it’s going to a completely different email address than I gave them that I know it’s fake.
This setup makes things more secure from fishing or other exploits. The downside is it is not so straight forward to get a message via one of these aliases I setup and reply back easly. That is because my email provider Protonmail charges for each alias you use. To get around that I use their catchall feature. I can have unlimited inbound email addresses. The catch is I can only reply back coming from only 5 of them. Most of the mail I get other than personal mail I don’t really need to reply to. The trade off is worth it for me most of the time.
In this instance with NordVPN I was asked to reply to the support case via email. Ussually in this situation what I typically do is I have an email program that allows me to send outbound mail and I can edit an alias to match the email address I’m using with that vendor. It’s slightly annoying however if I don’t have to do it often it’s not that big of a deal.
There were challenges in validating my account with the NordVPN. That required several emails back and forth. In one instance when I was away from my desk I got lazy and just replied from my generic catchall address. That exposed my default address to the vendor. I wasn’t that concerned about revealing that address to them however it was sloppy for me. What was silly was their reply. After two more rounds of back-and-forth I was told I need to send a response from the original email address since that was the one on file with them.
What seems silly to me is this company was relying on an email “from address” as some sort of security validation? Whenever I do send them mail I’m literally cutting and pasting the contents to a new message and spoofing the address. Anyone can do that. Yet somehow they feel that if I recieve their message it isn’t enough. In my case i am spoofing an address of my own so thats not bad. What is bad is mail spoofing is super easy and this company somehow thinks its a securty function to get mail from a specific address.
If you are going to insist on a security measure why are they not having a secure ticket portal that my login to their service gets me into? Or a built in chat system within their app amoung other things that are more secure than email.
I found this whole experience dealing with this VPN provider to be very frustrating. I am only writting about it because of the hypocritical things they said. Do not tell me you are a security company and then rely on a “reply to” as a validation you are speaking to the right person. Another thing they did was they wanted me to send old credit card details in cleartext email. Yes the card was 2 years old however still dont say you are a security company and ask for PII in a clear text email.
The situations been sorted. I have updated my email address eventually. I’ve been using NordVPN provider for years. This extremely poor experience has left me looking for a new provider when this one runs out. It’s partly due to just the bad communication back and forth. And part of it is the hypocrisy of claiming that they are a security company and doing some of the most unsecure methods to communicate.
UPDATE: Just as I started to write this post in late 2019 it came out that NordVPN had two seperate public incidents where they were compromised. That along with this story got me to move providers 4 months before my contract term ended with NordVPN.