I do not agree that websites should recover passwords using
mobile phones. It only takes a few
minutes to hijack your account using your mobile phone. They do not need to
know your phone password or unlock pattern. All they have to do is transfer
your SIM to another phone so they can receive your SMS messages. Allow me to demonstrate.
Testing with a Yahoo
account
I created a dummy Yahoo account, entered a valid mobile
number, and logged out. Pretending that I do not know the password, I clicked on the
I can't access my account link and I
was presented with this screen.
The next screen asks for my Yahoo ID and some verification
to ensure that I am not a bot. Entering
the correct text displays this next screen.
Clicking the Next button tells Yahoo to send a code to my
mobile phone via SMS.
With my identity validated, all I have to do now is to enter
a new password.
It is ironic that the next screen reminds you of how easy it
is to recover accounts via text messages.
Testing with a Facebook
account
Facebook has a similar feature.
The above option results in an SMS message similar to the
one below.
I did not try the included link, but it appears to make
resetting your password easier.
Here is the next screen.
Voila!
I only used Yahoo and Facebook as examples, but there may be
other websites employing SMS to reset passwords. Honestly, I only
learned yesterday that my Yahoo and Facebook accounts were set to allow
password change via my mobile phone. I entered my mobile number years ago and I
do not recall seeing whose password recovery options.
/royc
Someone took advantage of the SMS vulnerability a year after I posted it. Instead of borrowing a SIM though, they requested for a SIM replacement:
ReplyDeletehttps://www.facebook.com/photo.php?fbid=1577151045882074&set=a.1392697660994081.1073741831.100007615803617&type=1