Is Hotmail the Only One?

Here's a nice little bit of research out of rutgers.edu. It turns out that Hotmail will shutdown your email account after it's been idle for 270 days. Not a crazy policy, and perhaps even with some security benefit.

But, here's the bad part, they also make your username (aka email address @ hotmail) available for reuse.

 The researchers were able to use this detail, combined with the Facebook policy of sending password reset credentials to the email address on record, to take over the Facebook accounts associated with "expired" hotmail accounts.

 This attack was assisted by using some simple scripts which allow easily testing whether a hotmail account has expired or not. The biggest limitation on the attack is that Facebook generally restricts visibility into an account's email address to "Friends" of the account. In effect, this means automating the attack becomes a tree traversal exercise as one compromises an account, and then attacks any friends of the compromised account who might be vulnerable.

I have a few comments on this.

1. I understand trying to let folks have the email address they want, that's just good business.  I can can even see how letting folks take an address permanently out of the pool of available addresses is begging for abuse ... but we're seeing more and more examples of how stealing an email address opens the gate wide for identity theft.  Facebook is pretty much in the mainstream with their password reset policies.  Now is a good time for Microsoft to change their policy; Don't make expired email accounts available for reuse, it's just too easy to abuse.
2. I sympathize with Facebook.  I've always considered password resets to be a very difficult problem.  Short of having somebody physically present showing ID, how can you really be certain who you're granting access to an account to?  As I am constantly reminded, "on the Internet, nobody knows you're a dog".  In this case, all you really know is that you're being asked to grant access to somebody who doesn't know the correct password. :-)   
3. Again, this problem is hard when addressed at scale.  Consider the case of Mat Honan, where Apple tried to do something more sophisticated than just fire an email to a stored email address, and yet their process was still shown to be quite vulnerable (http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/.)
4. Can you say Two Factor, Single Sign On?

Here's a good summary:  http://www.net-security.org/secworld.php?id=14892

Here's the full paper: http://precog.iiitd.edu.in/events/psosm2013/9psosm3s-parwani.pdf

As I say in my subject, is Hotmail the only major email provider who allow reuses of email addresses?

what could possibly go rong?

It appears that Facebook is expanding their use of requiring users to send them a picture of a Government issued ID in order to unlock their accounts.

In other words, anybody with Photoshop (probably just Paint) can convince Facebook that they're who they say that are.

Really?

http://idealab.talkingpointsmemo.com/2013/01/instagram-asking-for-users-government-issued-photo-ids-now-too.php

If you can't authenticate a user - just admit so and move on.  Don't engage in security theater and force legitimate users to place their own PII at risk (cause you know that some users will not sanitize the picture before emailing it in.)