The gift that keeps on giving: Windows Store Accounts

In 2012, I thought it might be a good idea to register for a Windows Store Account, oh sorry, 'Windows Developer Services-account'. As you might recall, signing up was a bit of a pain. After a year, I decided to get rid of it as I didn't do anything with it nor did I expect to do anything with it in the future and as it costs money, I wanted to close the account. That too was a bit of a pain.

To sign up for a Windows Store Account/Windows Developer Services-account, Microsoft outsources the verification process to Symantec. The verification process is to make sure that the person who signed up (me) really works at company X (I even own it) and Symantec is seen by Microsoft to be up to the task to do that. As you can read in my sign-up blog post, the process includes Symantec contacting a person other than the person who registered for a company who also has to be entitled to make sure that I am who I am.

Is Symantec, a total different company than Microsoft, really up to the task? Well, let's see, shall we? As you can read above, I signed out of my Windows Store Account almost a year ago. One would think that by now Microsoft would have sent Symantec a memo in which they state that the individual 'Frans Bouma' is no longer a Windows Store developer card-carrier. In case they have (which I can't verify, pun intended), Symantec has a lousy way of keeping track, as last week my company received a lovely request from Symantec to verify with them whether 'Frans Bouma' was indeed working for my company and I was who I said I was. You know, for the Windows Developer Services account.

Now the following might read like I stepped into the oldest phishing trap in the book, but everything checked out properly, we use plain text email only, copied URLs over, the URLs were simple and legit.

We first thought it was spam/phishing so we ignored it. But this morning a new email arrived as a reminder. So we painstakingly went over every byte in the email and headers. Headers checked out (all routed through Verisign, now part of Symantec, and Symantec itself), URLs in the email checked out (we only look at plain text emails). The email was sent to the same person who verified me 2 years ago, and we concluded it must be legit. We had a good laugh about it, but what the heck, let's verify again. How would that work exactly, that verification process?

So we copied the url from the plain text version of the email (which was a simple url into Symantec) to a browser, it arrived at Symantec, listed info about my account, and all that's there to be done is click the verify button. It's laughably simple: just click a button! I do recall the first time it was a phone call, but instead of getting rid of this whole Symantec bullshit, Microsoft decided apparently that clicking a button instead is equal to 'making things simpler'.

After a couple of minutes, I received at my email box the email that cheered 'congratulations! I was re-verified and my Microsoft Developer Services account was renewed and I could keep developing apps for the windows store'.

But… I ended my account almost a year ago? Or did I? To verify whether I really got rid of this crap or not, I went to the sites I went before to register and end the account, but they only showed me XBox Live stuff, no developer account info.

Headers of reply email:

Received: from spooler by sd.nl (**********************); 29 Jul 2014 10:03:43 +0200
X-Envelope-To: frans********************
Received: from authmail1.verisign.com (69.58.183.55) by **********************
 (***********************) with Microsoft SMTP Server id 14.3.174.1; Tue, 29 Jul 2014
 10:06:08 +0200
Received: from smtp5fo-d1-inf.sso-fo.ilg1.vrsn.com
 (smtp5fo-d1-inf.sso-fo.ilg1.vrsn.com [10.244.24.61])	by
 authmail1.verisign.com (8.13.8/8.13.8) with ESMTP id s6T8674q001640
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO)	for
 <frans@**********************>; Tue, 29 Jul 2014 08:06:07 GMT
Date: Tue, 29 Jul 2014 08:06:07 +0000
From: <microsoft.orders@symantec.com>
To: <frans@***********************>
Message-ID: <1717526233.2131406621167061.JavaMail.support@geotrust.com>
Subject: Informatie over Microsoft Developer Services-account **********************
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Loop-Check:
Return-Path: microsoft.orders@symantec.com
X-MS-Exchange-Organization-AuthSource: **********************
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-Exchange-Organization-PRD: symantec.com
X-MS-Exchange-Organization-SenderIdResult: None
Received-SPF: None (**********************: microsoft.orders@symantec.com does not
 designate permitted sender hosts)
X-MS-Exchange-Organization-SCL: 0
X-MS-Exchange-Organization-PCL: 2
X-MS-Exchange-Organization-Antispam-Report: DV:3.3.13320.464;SID:SenderIDStatus None;OrigIP:69.58.183.55
X-MS-Exchange-Organization-AVStamp-Mailbox: MSFTFF;1;0;0 0 0
MIME-Version: 1.0

(replaced sensitive own info with ****)

I wonder: will Symantec for the rest of my life try to verify me as a Windows Store developer even though I have no longer a subscription on that service from Microsoft? The data in Symantec's databases about this account will likely never be purged unless they get rid of the account data from Microsoft entirely or I stop verifying (but even then).

In 2012 I already found it pretty bad that my account info with Microsoft was shared with another 3rd party, Symantec, and today I find it even worse: I no longer have a Windows Store dev account with Microsoft, but Symantec a) still thinks I do and b) keeps the information about me while I never had the intention to sign up with Symantec at all.

Microsoft will never attract large droves of devs writing apps for its Windows Store unless it makes the whole process seamless and without leaking sensitive information to 3rd party corporations who can do whatever they please with it.