Loading [MathJax]/extensions/MathMenu.js
Attacks and vulnerability analysis of e-mail as a password reset point | IEEE Conference Publication | IEEE Xplore
Subscribe
ADVANCED SEARCH
Conferences >2018 Fourth International Con...

Attacks and vulnerability analysis of e-mail as a password reset point

PDF
Caleb Routh; Brandon DeCrescenzo; Swapnoneel Roy
All Authors

Abstract:

In this work, we perform security analysis of using an e-mail as a self-service password reset point, and exploit some of the vulnerabilities of e-mail servers' forgotten...Show More

Metadata

Abstract:

In this work, we perform security analysis of using an e-mail as a self-service password reset point, and exploit some of the vulnerabilities of e-mail servers' forgotten password reset paths. We perform and illustrate three different attacks on a personal Email account, using a variety of tools such as: public knowledge attainable through social media or public records to answer security questions and execute a social engineering attack, hardware available to the public to perform a man in the middle attack, and free software to perform a brute-force attack on the login of the email account. Our results expose some of the inherent vulnerabilities in using emails as password reset points. The findings are extremely relevant to the security of mobile devices since users' trend has leaned towards usage of mobile devices over desktops for Internet access.
Published in: 2018 Fourth International Conference on Mobile and Secure Services (MobiSecServ)
Date of Conference: 24-25 February 2018
Date Added to IEEE Xplore: 12 March 2018
ISBN Information:
DOI: 10.1109/MOBISECSERV.2018.8311443
Conference Location: Miami Beach, FL, USA
Contents

I. Introduction

E-mail is used for almost everything including shopping, paying bills, and resetting password to other services such as bank or favorite online shop. This combination of targets all within one password protected service makes it an extremely easy target for hackers (adversary). Once the adversary has access to personal credentials through email, they can easily access almost any account linked to that address by simply using the forgotten password feature provided by almost every company. This creates a very large gap in the protection of the consumer that the adversary, or whoever they sell your information to, can exploit. Even having security questions may not prevent the adversary from resetting any password with the amount of information available through public records and search engines like ZabaSearch [1].

Contact IEEE to Subscribe
More Like This
Attack and Improvement on the One-Time Password Authentication Protocol Against Theft Attacks

2007 International Conference on Machine Learning and Cybernetics

Published: 2007

A New Three Party Authenticated Key Agreement Protocol which is Defiant towards Password Guessing Attack

2019 International Conference on Automation, Computational and Technology Management (ICACTM)

Published: 2019

Show More

References

References is not available for this document.

IEEE Account

Purchase Details

Profile Information

Need Help?

A not-for-profit organization, IEEE is the world's largest technical professional organization dedicated to advancing technology for the benefit of humanity.
© Copyright 2025 IEEE - All rights reserved. Use of this web site signifies your agreement to the terms and conditions.