36

Recently a provider (of SIP trunking services) I subscribe to sent me a strange email. It claimed that someone in another country attempted to reset the password to my account and was unsuccessful in answering my security question.

The provider's response to this event was to reset my password.

Dear Customer,

We received a request to reset the password for the account ‘myusername’ from the IP address 41.174.96.79 but the security question entered was invalid.

As a security precaution we have set your accounts password to: roRy1391

Once you have logged in you will be prompted to change your password immediately.

(The email turned out to be real, and I was able to login and change my password successfully.)

It seems to me that the appropriate response to such an event is for the provider to do nothing. After all, what if this attacker had already gained access to my email account? Then he would have received this email, and gotten access to my account anyway.

However, there is a possibly mitigating factor. This provider always requires answering the security question whenever logging in from a new IP address. This also, in theory, would have stopped this attack if the attacker had gotten access to this password reset email.

Was this an appropriate action on the provider's part? If not, what should they have done instead, and what should I say when I yell at them?

Anders
  • 64,406
  • 24
  • 178
  • 215
Michael Hampton
  • 3,877
  • 1
  • 22
  • 32
  • 2
    1) absolutely sure the email headers are right and the email really came from them (did you call and verify the situation)? 2) I agree with Nathan, they should have never sent you an email with a password...the correct course of action was NOT to do nothing, but rather an email stating the attempt and failure with a "If you have questions or concerns about this please contact us at <>" Notifying you is smart, but taking that reset action wasn't. – TheCleaner Jul 31 '13 at 18:12
  • 1
    @TheCleaner Yes, the email actually came from the provider. – Michael Hampton Jul 31 '13 at 18:13
  • 6
    Changing your password any time someone tries to reset your password and fails is basically allowing them to DOS you at worst, troll you at best. They shouldn't be doing that. – Mark Allen Jul 31 '13 at 23:27
  • 1
    Also, the new password is 8 character alphanum. How stupid is this provider? – Mike Weller Aug 19 '13 at 08:30

4 Answers4

56

This is an absolute breach of security. Even if their policy was somehow sound, sending the password in plaintext to you in an email means that the reset is useless, and as you said, if the attacker had access to your email the security questions wouldn't do squat.

They should have done nothing as the security question answered was invalid. The best thing to do, IMHO, is to go a step further and block the user from answering questions for a defined period. Notifying you is a proper step, but changing the password just makes it useless.

I'd ask them a simple question: "if you're going to send me (or someone pretending to be me with access to my email) a password if I/someone else guess the security question wrong, what's the point of security questions?"

Nathan C
  • 800
  • 6
  • 9
18

No, it is not an appropriate response from the ISP. The attacker tried to reset the password, which shows that the attacker does not know the current password, and actually does not even try to guess it. Forcing a reset of that password cannot bring any good: it tries to fix exactly the part of the authentication system which was not broken.

If resetting the password will not do any good, it can bring a lot of harm, though. Passwords as plaintext in emails are rarely a good idea.

This situation looks like a good example of a "knee-jerk security stance": when in doubt, panic.

(Your ISP really chose a password beginning with "Rory" ? This triggers my "fool play" sense.)

Thomas Pornin
  • 320,799
  • 57
  • 780
  • 949
4

The only case I can think of where changing your password like that would make security sense is if the user was logged in to your account when they tried to change your password.

In that case, your previous password was potentially compromised, because whoever was logged in knew that password but not the answer to your security question.

Briguy37
  • 181
  • 4
2

This is not good practice. I would be a bit suspicious that the SIP provider had in fact been compromised, but wanted to save face or reduce the potentail for neative publicity by being possibly less than clear/honest or a little ambigious. Basically, changing your password after a FAILED attempt makes absolutely no sense. Sending you a new password via email makes even less. All of this would add up to looking for a new SIP rpvider if it was me.

Tim X
  • 3,242
  • 13
  • 13