Visible to the public Attacks and vulnerability analysis of e-mail as a password reset point

TitleAttacks and vulnerability analysis of e-mail as a password reset point
Publication TypeConference Paper
Year of Publication2018
AuthorsRouth, Caleb, DeCrescenzo, Brandon, Roy, Swapnoneel
Conference Name2018 Fourth International Conference on Mobile and Secure Services (MobiSecServ)
Keywordsauthorisation, brute force attacks, brute-force attack, Collaboration, Computer hacking, e-mail servers, Electronic mail, Email, emails, human factors, Internet, middle attack, mobile devices, Mobile handsets, password, Password Reset, personal Email account, policy-based governance, Protocols, pubcrawl, public knowledge attainable, security analysis, security questions, self-service password reset point, social engineering attack, social media, vulnerability analysis
AbstractIn this work, we perform security analysis of using an e-mail as a self-service password reset point, and exploit some of the vulnerabilities of e-mail servers' forgotten password reset paths. We perform and illustrate three different attacks on a personal Email account, using a variety of tools such as: public knowledge attainable through social media or public records to answer security questions and execute a social engineering attack, hardware available to the public to perform a man in the middle attack, and free software to perform a brute-force attack on the login of the email account. Our results expose some of the inherent vulnerabilities in using emails as password reset points. The findings are extremely relevant to the security of mobile devices since users' trend has leaned towards usage of mobile devices over desktops for Internet access.
Citation Keyrouth_attacks_2018