https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30088
--- Comment #19 from Katrin Fischer <[email protected]> --- (In reply to Klas Blomberg from comment #18) > I don't want to be a party-pooper, but we are contemplating to file a bug > for making both email and userID mandatory > > The background for this: > There has been a series of frauds in Sweden where the impostors have used > the password recovery feature to deceive elderly people (80+ years) > > All swedish libraries use the equivalent to social security numbers as > userID. > The impostors have somehow got a list of social security numbers, and enters > them one after another in password recovery. > When they see that an email is sent they call the patron, saying they are > calling form the library and wants to help them with their password-problem > The patron gets confused and is asked to open his/her electronicID - and if > they do the impostors use it to transfer money from their bank-account. > One patron in a suburb to Stockholm lost 40000€ this way. Therefore we think > it's too easy to recover passwords in the opac. > > By making both email and userID mandatory frauds like this will be next to > impossible Hi Klas, that's a real bad story. I am sorry to hear. I think requiring userid (with it accepting either cardnumber or username) + email would be OK for us. With your argument I am not sure if it needs to be configurable. -- You are receiving this mail because: You are watching all bug changes. _______________________________________________ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
