[OpenID] Combining Google & Yahoo user experience research
Peter Williams
pwilliams at rapattoni.com
Sat Oct 18 03:50:58 UTC 2008
This assurance/practice using email is essentially identical to the infamous dollar auth transaction, against VisaNet. If one can get an auth from VISA to allow the user a $1 credit, then you can infer the VISA number is accurate, and in good standing. It implies identity verification (and you can invoke fraud law against any law breakers).
This it itself only a variant of a 100year old FBI trick, to induce someone under prosecution threat to commit formal mail fraud ... so one can get obtain leverage (incarceration, anal probing, association with the explicit violence of gangland present in holding cells etc) during a plea bargain over something much harder to prove.
Attack surfaces tend to be multi-level (and that's a pun).
-----Original Message-----
From: general-bounces at openid.net [mailto:general-bounces at openid.net] On Behalf Of Allen Tom
Sent: Friday, October 17, 2008 8:35 PM
To: Dick Hardt; OpenID List
Subject: Re: [OpenID] Combining Google & Yahoo user experience research
Dick Hardt wrote:
>
> The UX of getting a verified email and then auto binding an existing
> account is cleaner. It does mean that if I can prove I have your email
> address, that I can take over your account. Seems to broaden the
> attack surface rather then narrow it.
>
Hi Dick,
Many sites allow an account's password to be reset by sending a Reset
Token to an email address associated with the account. An attacker who
gains access to the email address is able to reset the password, and is
therefore able to take over the account. If the ability to reset a
password is equivalent to logging in, then the attack surface is really
unchanged.
Allen
_______________________________________________
general mailing list
general at openid.net
http://openid.net/mailman/listinfo/general
More information about the general
mailing list