
Ask HN: How to verify customer change of address for a defunct email address? - mingabunga
Anyone have any good ideas for verifying a customer who asks to change their old email address to a new email address, where the old email address no longer works. 
I&#x27;m worried that it would be an easy way for someone to gain access to someone elses customer account&#x2F;records.
======
arkitaip
Start by sending an email (without any sensitive info) to the old account and
see what happens.

Compare the IP address from when the account was created / last accessed with
the one for the password reset request. IP addresses are easy to spoof though
so even if the IP addresses match you should be very cautious.

If you have the user's physical address, you could send a letter with an
authentication code.

------
kogir
While I worked on HN I did this for a few users. I required that the account
they wanted to update positively identify them (via comments they'd made,
items in their profile, etc), and that they be able to prove they were the
same person.

Definitely something we handled on a case by case basis and declined to do if
we weren't comfortable.

------
pmontra
You need information about him and cross check with what's available to you.
If you only have name and email, sorry.

~~~
mingabunga
Thanks, seems about the only way.

------
brudgers
If it's a serious concern, then process the issue manually and figure out what
is going on rather than trying to automate it. Handle it on a case by case
basis.

Alternatively, there are many situations where a new email address could
simply mean the site requires creating a new account.

