On 11/07/2017 19:18, prothero--- via use-livecode wrote:
Re password changing. If someone has forgotten their password, what most sites 
do is send a reset link to a registered email. For even better security, a code 
is sent to the user's message system, which must be received and entered before 
reset can be accomplished.
Actually, I disagree with "For even better security,..."

My email comes via my server, under my control.

SMS messages come via some mobile phone operator - and there have been multiple well-proven cases of operators demonstrating *very* poor security - you call them up, say you've lost your phone and would like your phone number switched to your new phone/SIM. They ask you some security questions (anyone think they could find my address and birthdate ?) - and then switch the phone number to the new SIM. And then the fraudster gets all SMS messages from your bank, websites, etc., and you don't.

[In the UK, they are *supposed* to use the higher level of security questioning - but sometimes don't, and are sometimes vulnerable to special pleading and feeling sorry for the apparent loss-victim. see for instance


So I'd prefer to stick to email verifications :-)


use-livecode mailing list
Please visit this url to subscribe, unsubscribe and manage your subscription 

Reply via email to