Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 287
  • Last Modified:

Security Issue with Financial Site

My company deals with a outside company for 401k. We just noticed a security hole in the password reset process on their company site.There is no second layer of authentication to verify the user such as a security question to reset the password (it clearly exposes the current password by clicking on a redirected link once you retrieve the email from your account). If the email is forwarded or someone has access to my account my account is now open to compromise with this method. I am looking for some official documentation to prove my point. Any suggestions?
0
jaxon_b
Asked:
jaxon_b
1 Solution
 
RafaelCommented:
One thing you can do is have the site scanned for vulnerabilities using a 3rd party vendor.

A couple of sites that may have the tools and or information you need are as follows:



Hope this helps.
0
 
Paul MacDonaldDirector, Information SystemsCommented:
Report it to the company in question.
0
 
jaxon_bAuthor Commented:
rcaballerojr-got anything more current perhaps a white paper from sox or pci?
0
 
McKnifeCommented:
I wonder what you need to prove, it seems so simple. If that mail was sent unencrypted, anyone in between might have read/copied it. So if clicking on the link does not require an authenticated VPN connection in the first place, then anybody could use that mail. Of course some sender insert a small protection by making the link expire - simply try it out from another machine.

But of course: normally, password reset processes work exactly like this. Sending to a registered mail address is seen as quite secure, because intercepting e-mails is everything but easy and if (as you proposed) someone setup a mail forwarding rule, he should really know what he is doing and fully trust the one he is forwarding to.
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now