How are users to respond to change of address notification?

[KT Walrus]

I'm testing my site today and got an email notification when I changed my test user's email address.

Here is the message in the email:

My question is: How is the user to respond to this if they didn't make the change?

Shouldn't the email have some sort of explanation as to what to do next, even if it is to use the Contact Us link or a Support link?

I'm sure I'll figure out how to change this text for my new site, but just wondering what the user is supposed to do. On my site they can only log in with an email address and since this email is sent to the old email address and the email address changed to somebody else's email address and that somebody probably immediately changed the password, what is the user to do? I have Contact Us page disabled for Guests. Maybe I need to re-enable it but they do need to know what to do. 

Or, am I supposed to allow replies to the Reply-To address in this notification email? Right now, I wasn't planning on monitoring this address, so maybe I should include an email address they can use to contact the site administrator to let them have access to their account again by reversing the change. 

Or, is there a "reverse email change" procedure they can go through already provided for in the ACP? Maybe a "Suspend account" until issue has been resolved action so any further damage done by the hacker can do no more harm. But, then again, the hacker probably knows the password the real user was using because they would need that to change the email address in the first place before changing to another password. Or, is changing account password restricted for a certain number of days after an email address change?

 

[KT Walrus]

I've thought about this issue overnight as to what I need to do to secure my new site, and I have decided to implement the following changes (unless IPS has or implements a better procedure to handle incidences of suspicious activity).

I did notice that there is a "Secure Account" page available to logged in users from the "Recently Used Devices" which allows the user to "Change password", but changing passwords requires the "Current password" which the real user may not know yet.

So, instead of this "Secure Account" page, I plan on implementing a "Report Suspicious Activity" page with an account specific link clickable in every email notification the account holder receives and at the bottom of every page (where the Privacy Policy and Contact Us links are). 

This new "Report Suspicious Activity" page will:

1. Immediately change the account password to something only the Admin knows.
2. Immediately suspend the account and kick everyone logged in out.
3. Have a button or option to "undo the suspension" if account wasn't suspended before reaching this page.
4. List all Recently Used Devices and allow the user to pick any or all that they suspect were used suspiciously.
5. Have a time selection input field that the user can report when they think the suspicious activity started.
6. Have a New Password and Confirm Password input field so the user can provide a new password to use when the suspension is lifted.
7. Have an additional input area for reporting what they suspect or know about the incidence.

Anyone that submits a Suspicious Activity Report will initiate a manual and automatic review by an Admin to investigate the incidence. Investigation should include being able to tell what content was changed during the period under investigation, what content was viewed during this period, what content was potentially viewable during this period, and any other activity found in the logs during this time. This may mean implementing more activity logging than IPS currently implements.

On my site, it is important that all members whose content might have been viewed or might have view content that was posted by the user since the suspected time of this security violation, be notified at the end of the investigation.

The investigation will end when the Admin manually completes the investigation or automatically after 7 days. Regardless of how the investigation is completed, notification will automatically be send to every user possibly affected by the incidence. Also, when the investigation ends, reset the user's password to the one given on the "Report Suspicious Activity" (or tell the user to perform the "Forgot Password" procedure to reset the password without logging in).

Anyway, that is my plan at this time unless IPS implements or has implemented something better. On my site, it is very important that users be notified about any suspicious activity that might have exposed their personal information to unauthorized recipients. Privacy is very important to the users of my new site and I have to let inform them of any security violations that may or may not have occurred (and how certain I am if a violation did occur that compromised their privacy).

[bfarber]

The intention is that the user would hit "reply" in their email client, and indeed you would need to monitor the address that is used for these emails. Obviously, as you've noted, you can change the verbiage in the email to implement different behavior if you prefer.