As soon as the attacker has your email address, a process on their server logs into your email provider as you and initiates an "I've lost access to my email" password reset process.

    From then on, every question in your signup process for the attacker's service is actually a password reset question from your email provider.

Sadly, it's quite clever.


    you can treat all security questions as passwords and generate unique answers for each

I've been very distrustful of security questions ever since someone pointed out to me that they're essentially plain text passwords with a clue provided.

posted by veen: 684 days ago