Augmented Earth now on the App Store!
Alex Tweedly
alex at tweedly.net
Tue Jul 11 15:46:45 EDT 2017
On 11/07/2017 19:18, prothero--- via use-livecode wrote:
> Jonathon,
> Re password changing. If someone has forgotten their password, what most sites do is send a reset link to a registered email. For even better security, a code is sent to the user's message system, which must be received and entered before reset can be accomplished.
Actually, I disagree with "For even better security,..."
My email comes via my server, under my control.
SMS messages come via some mobile phone operator - and there have been
multiple well-proven cases of operators demonstrating *very* poor
security - you call them up, say you've lost your phone and would like
your phone number switched to your new phone/SIM. They ask you some
security questions (anyone think they could find my address and
birthdate ?) - and then switch the phone number to the new SIM. And then
the fraudster gets all SMS messages from your bank, websites, etc., and
you don't.
[In the UK, they are *supposed* to use the higher level of security
questioning - but sometimes don't, and are sometimes vulnerable to
special pleading and feeling sorry for the apparent loss-victim. see for
instance
http://www.telegraph.co.uk/technology/internet-security/11896024/How-to-protect-yourself-from-SIM-swap-scams.html
So I'd prefer to stick to email verifications :-)
Alex.
More information about the use-livecode
mailing list