Loading [MathJax]/extensions/MathMenu.js
Attacks and vulnerability analysis of e-mail as a password reset point | IEEE Conference Publication | IEEE Xplore

Attacks and vulnerability analysis of e-mail as a password reset point


Abstract:

In this work, we perform security analysis of using an e-mail as a self-service password reset point, and exploit some of the vulnerabilities of e-mail servers' forgotten...Show More

Abstract:

In this work, we perform security analysis of using an e-mail as a self-service password reset point, and exploit some of the vulnerabilities of e-mail servers' forgotten password reset paths. We perform and illustrate three different attacks on a personal Email account, using a variety of tools such as: public knowledge attainable through social media or public records to answer security questions and execute a social engineering attack, hardware available to the public to perform a man in the middle attack, and free software to perform a brute-force attack on the login of the email account. Our results expose some of the inherent vulnerabilities in using emails as password reset points. The findings are extremely relevant to the security of mobile devices since users' trend has leaned towards usage of mobile devices over desktops for Internet access.
Date of Conference: 24-25 February 2018
Date Added to IEEE Xplore: 12 March 2018
ISBN Information:
Conference Location: Miami Beach, FL, USA

I. Introduction

E-mail is used for almost everything including shopping, paying bills, and resetting password to other services such as bank or favorite online shop. This combination of targets all within one password protected service makes it an extremely easy target for hackers (adversary). Once the adversary has access to personal credentials through email, they can easily access almost any account linked to that address by simply using the forgotten password feature provided by almost every company. This creates a very large gap in the protection of the consumer that the adversary, or whoever they sell your information to, can exploit. Even having security questions may not prevent the adversary from resetting any password with the amount of information available through public records and search engines like ZabaSearch [1].

Contact IEEE to Subscribe

References

References is not available for this document.