On 11/07/2017 19:18, prothero--- via use-livecode wrote:
Jonathon,
Re password changing. If someone has forgotten their password, what most sites
do is send a reset link to a registered email. For even better security, a code
is sent to the user's message system, which must be received and entered before
reset can be accomplished.
Actually, I disagree with "For even better security,..."
My email comes via my server, under my control.
SMS messages come via some mobile phone operator - and there have been
multiple well-proven cases of operators demonstrating *very* poor
security - you call them up, say you've lost your phone and would like
your phone number switched to your new phone/SIM. They ask you some
security questions (anyone think they could find my address and
birthdate ?) - and then switch the phone number to the new SIM. And then
the fraudster gets all SMS messages from your bank, websites, etc., and
you don't.
[In the UK, they are *supposed* to use the higher level of security
questioning - but sometimes don't, and are sometimes vulnerable to
special pleading and feeling sorry for the apparent loss-victim. see for
instance
http://www.telegraph.co.uk/technology/internet-security/11896024/How-to-protect-yourself-from-SIM-swap-scams.html
So I'd prefer to stick to email verifications :-)
Alex.
_______________________________________________
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode
