I guess that is more secure?



  •  So I am having problems with one of 3 login IDs I have (do not get me started on that), so from work, I email the Help Desk using my work email, and get this response:

     "You password is not locked and is not showing any incorrect logins. If you want to have it reset you have to call in as we have to verify user name security."

    He was looking at the wrong ID, which I can let go, but I fail to see how calling is more secure than me sending an email from one of my accounts (the account he thinks I am locked out of...)? Its not like I know him well enough to know my voice.

    And for humor sake, though its a large building, the responder sits on the other side of my cubicle wall.



  • Monkey read script, monkey follow script, monkey get banana!

     




  • If you share a cubicle wall then trust me, he knows you by voice.




  • If the responder is that close then s/he is screwing with you.

     



  • Yeah, that email clearly has your address in the "from" header.  It couldn't have possibly been from somebody else.  SMTP is so very secure.

    Yeah, you can forge caller ID almost as easily, but maybe he needed to ask you questions whose answers you'd rather not have stored in a mail server somewhere?



  • @snoofle said:

    Monkey read script, monkey follow script, monkey get banana!

     

     

    Do I get my banana now?



  • @vt_mruhlin said:

    Yeah, that email clearly has your address in the "from" header.  It couldn't have possibly been from somebody else.  SMTP is so very secure.

    Yeah, you can forge caller ID almost as easily, but maybe he needed to ask you questions whose answers you'd rather not have stored in a mail server somewhere?

     

     

    Good call, I did not think about that. I just decided to walk around the wall and introduce myself (he really did not know who I was...)



  • @vt_mruhlin said:

    Yeah, that email clearly has your address in the "from" header.  It couldn't have possibly been from somebody else.  SMTP is so very secure.
    Sure, you can forge the "from" header... but it's not like you'd get the inevitable reply.

    e.g., Eve@example.com fakes an email to alice@example.com, with a forged From: bob@example.com header.  Alice replies.  bob@example.com receives the email.  Not eve.

    Now, it'd probably be good to make sure that alice's first reply, in this situation is, "Please confirm that you'd like your password reset by replying to this email", rather than acting on the initial communication (since it may be forged).  But once you've established that the person that reads bob@example.com actually wants this action to take place, you're in the clear.



  • @merreborn said:

    @vt_mruhlin said:

    Yeah, that email clearly has your address in the "from" header.  It couldn't have possibly been from somebody else.  SMTP is so very secure.
    Sure, you can forge the "from" header... but it's not like you'd get the inevitable reply.

    e.g., Eve@example.com fakes an email to alice@example.com, with a forged From: bob@example.com header.  Alice replies.  bob@example.com receives the email.  Not eve.

    Now, it'd probably be good to make sure that alice's first reply, in this situation is, "Please confirm that you'd like your password reset by replying to this email", rather than acting on the initial communication (since it may be forged).  But once you've established that the person that reads bob@example.com actually wants this action to take place, you're in the clear.

    Unless they are using return-path to provide an alternative reply address, which might go unnoticed in the composition window. 


Log in to reply