I'd like to remind everyone that unencrypted email offers no authentication
or privacy. There is no protection against MITM attacks. Consider the
An, evil, mean, no-good hacker breaks into a mailserver.
In an atrocious display of lack of respect for personal privacy, said
proceeds to peruse the mailserver's users' e-mail.
This hacker sees a newsletter, account registration confirmation, order
reciept, etc. from an online retailer, service, etc.
The hacker uses the information in the email, which may or may not contain
actual username, to go to the site and uses the handy dandy "I forgot my
password, please email it to me" application..
The server complies with this request and emails the account holder a new
password, or a link to where the new password can be obtained, or a clever
riddle whose answer is the new password, or whatever. Choose your method
The hacker, from his bedroom in a suburban California neighborhood, reads
the password, vists the link, solves the riddle, etc. Since he or she (I'd
like to give a shout out to all the lady hackers out there, keeping it real
no doubt) has control of the mailserver, the hacker then makes sure that
email never reaches the actual account holder.
The hacker abuses the account in each and every last way possible, leaving
no options for exploitation unexplored.
The actual account holder recieves a Mastercard statement for thousands of
dollars in goods he or she did not purchase and a visit from the Department
of Homeland Security who demand to know why that person attempted to
purchase maps of burglarly tools, weapons and controlled substances. What
else do you do with stolen credit card numbers?
Does this sound amazingly theoretical to anyone? It's not. This kind of
thing happens each and every day in deep, dark dungeons of cyberspace. The
only good solution is complete re-authentication of the account holder.
local cable company in my area does this. If you lose your password to the
bill paying application, you must enter all of your personal information
(DOB, CC#, exp. date, address, etc.) again to get a new password. If
got a problem with that, you have to call their "customer service
professionals" and explain your case.