Email Changes

Ran across a site where if one changes the email address associated with the account, it sends the confirmation email to the new address.

Say, I am a Blackhat and used a phishing attack to get the password for the account. Having legitimately logged in, I then change the email address associated with it from victim@outlook.com to my blackhatalias@gmail.com. Sending the confirmation to blackhatalias rather than the victim ensures a compromised account will get altered. Strong security would want to prevent the change unless the owner of victim@outlook.com confirms the change.

Though, it does look like an email was sent to victim@outlook.com almost 3 hours after the confirmation saying:

Still scary. The blackhat has probably already made off with the data and done the damage.

I get the temptation to allow users to change their email address to a new one. It will prevent support phone calls because if they no longer have control of the old email account, users can simply change it to another address they do.

Of course, the site in question also does not have Two Factor Authentication. But, then it also is just a support forum. So, the ramifications of losing the account is impersonation at worst. They could ask or answer a question as me or change the profile to say something demeaning.

Verification Codes

One would hope that verification codes would be extremely random. More randomness makes it harder for a malicious entity (person or computer) to guess the code. Less randomness makes it easier. With all the Two-Factor Authentication (2FA) out there, we hope there is enough randomness in these methods to make them unguessable by someone attempting to get into our accounts. But, like all security technology, the hackers get better and protections get easier to break over time.

There is a current temptation to record the codes my generators provide to see if there is a pattern. At least in the back of my head it “feels” like there might be one. My intuitions sometimes turn out true (confirmation bias) and usually do not (reality). If little ole me can see the pattern, then I am sure smarter people than I have seen it as well and maybe even have a way to anticipate the codes.