[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
On 13/02/14 21:26, Martijn Grooten wrote:
On Thu, Feb 13, 2014 at 06:19:19PM +0000, Simon Avery wrote:I respect your opinion a lot, and your experience in this area outstrips mine so perhaps I'm over-critical. I don't deal with them on a daily basis, but they have failed to address what must be massively gaping holes in security for far, far, FAR longer than I would deem reasonable.Thanks.
<SNIP>
One possibility occurs to me. Note the IP address they send email from. Each time a new one pops up send an email to their backup account asking them to confirm it was them - include the message as I doubt most users would know an IP address from a postcode. If they confirm, add the IP address to accepted ones for that account. Facebook already do a similar thing - assuming the user enables it - and email you when a new device is used to access your account, so it's obviously possible.Authentication is hard. It becomes even harder if it appears that two people have access to the account: how do you distinguish the genuine account holder from the fake one?
Theoretically, they /could/ then dig or whois IP addresses the user denies are theirs and automate a spam report to the network concerned.
Julian -- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/listfaq