At SpiderOak we receive many inquiries every day. Some ask about features or prices or are how-do-I questions. Others are requests for help with billing or service problems, and in order to answer the latter our staff often needs to view privileged account information and discuss it with the questioner.
Malicious people know this and impersonate account owners as a ruse to obtain information useful for data or identity theft. This is such a widespread technique that there is a name for it, social engineering.
SpiderOak is the trusted data custodian for human rights campaigners in hostile environments, whistleblowers, investigative journalists and their sources, and others for whom data security is not merely desirable but is in some cases the only thing that protects them from persecution, incarceration, torture, or extrajudicial killing. We thus take seriously our obligation to protect you and your data from social engineering. Indeed, many of our customers have chosen us precisely because we do so.
Our measures begin by insisting that any privileged communication be done via the email address of record of the account in question. When an account is opened, the creator supplies his or her email address. Then at any time that address can be changed in the application. That email address, and no other, is the one via which we will discuss privileged account information.
It is true that having control of an email address is not in and of itself iron clad proof of identity. Theoretically an attacker could first hijack your email address of record, then impersonate you via it. However the opposite case, where a correspondent claims to be the account holder yet oddly neither has access to the address of record nor is able to update the address of record in the application, is certainly suspicious enough to ring our alarm bells.
As a practical matter, what this means is that if you require assistance with anything beyond an informational question, you should write us from your account's email address of record. If you are not sure which is the email address associated with your account, open the SpiderOak One or Groups application running on your computer and press Account. A window will open that shows your email address of record with us. That is the address to write us from.
In some cases the address of record is not convenient to use. You might not have that address anymore. You might have opened your account using an alias or a forwarder or a non-working address. The address of record might belong to a colleague or to the long-gone IT person who set it up for you. You might be an IT person retained by the account owner to straighten out a problem. In any of those cases, you may change the email address of record to whichever you would prefer to use to correspond with us in the same account window as previously described.
When someone writes us from an email address other than their address of record, all we can do is respond with the above information and wait for him or her to write us back from the correct address. This naturally delays the resolution of the problem, which is not in anyone's interest.
We mentioned social engineering above. An important facet of it is providing all kinds of elaborate reasons why proper user authentication needs to be obviated in this particular case. It is for this reason that the more a questioner insists that we skip our security procedures this one time, the more suspicious we become.
We hope that this clarifies why we care about the email address you write us from, and how it protects you and your data that we do so.
If you have any feedback on this article please let our support team know. Thanks!