?
Solved

Security Issue with Financial Site

Posted on 2014-04-29
4
Medium Priority
?
271 Views
Last Modified: 2014-05-18
My company deals with a outside company for 401k. We just noticed a security hole in the password reset process on their company site.There is no second layer of authentication to verify the user such as a security question to reset the password (it clearly exposes the current password by clicking on a redirected link once you retrieve the email from your account). If the email is forwarded or someone has access to my account my account is now open to compromise with this method. I am looking for some official documentation to prove my point. Any suggestions?
0
Comment
Question by:jaxon_b
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
4 Comments
 
LVL 10

Accepted Solution

by:
Rafael earned 2000 total points
ID: 40030515
One thing you can do is have the site scanned for vulnerabilities using a 3rd party vendor.

A couple of sites that may have the tools and or information you need are as follows:



Hope this helps.
0
 
LVL 34

Expert Comment

by:Paul MacDonald
ID: 40030546
Report it to the company in question.
0
 

Author Comment

by:jaxon_b
ID: 40030562
rcaballerojr-got anything more current perhaps a white paper from sox or pci?
0
 
LVL 56

Expert Comment

by:McKnife
ID: 40040923
I wonder what you need to prove, it seems so simple. If that mail was sent unencrypted, anyone in between might have read/copied it. So if clicking on the link does not require an authenticated VPN connection in the first place, then anybody could use that mail. Of course some sender insert a small protection by making the link expire - simply try it out from another machine.

But of course: normally, password reset processes work exactly like this. Sending to a registered mail address is seen as quite secure, because intercepting e-mails is everything but easy and if (as you proposed) someone setup a mail forwarding rule, he should really know what he is doing and fully trust the one he is forwarding to.
0

Featured Post

Bringing Advanced Authentication to the SMB Market

WatchGuard announces the acquisition of advanced authentication provider, Datablink, with one mission – to bring secure authentication to SMB, mid-market, and distributed enterprises with a cloud-based solution, ideal for resale via their established channel & MSSP community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Keystroke loggers have been around for a very long time. While the threat is old, some of the remedies are new!
The Cyber News Rundown brings you the latest happenings in cyber news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst, and a guy with a passion for all things security. Any more questions? Just ask.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question