Augmented Earth now on the App Store!

Alex Tweedly alex at tweedly.net
Tue Jul 11 15:46:45 EDT 2017



On 11/07/2017 19:18, prothero--- via use-livecode wrote:
> Jonathon,
> Re password changing. If someone has forgotten their password, what most sites do is send a reset link to a registered email. For even better security, a code is sent to the user's message system, which must be received and entered before reset can be accomplished.
Actually, I disagree with "For even better security,..."

My email comes via my server, under my control.

SMS messages come via some mobile phone operator - and there have been 
multiple well-proven cases of operators demonstrating *very* poor 
security - you call them up, say you've lost your phone and would like 
your phone number switched to your new phone/SIM. They ask you some 
security questions (anyone think they could find my address and 
birthdate ?) - and then switch the phone number to the new SIM. And then 
the fraudster gets all SMS messages from your bank, websites, etc., and 
you don't.

[In the UK, they are *supposed* to use the higher level of security 
questioning - but sometimes don't, and are sometimes vulnerable to 
special pleading and feeling sorry for the apparent loss-victim. see for 
instance

http://www.telegraph.co.uk/technology/internet-security/11896024/How-to-protect-yourself-from-SIM-swap-scams.html

So I'd prefer to stick to email verifications :-)

Alex.




More information about the use-livecode mailing list