https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30088 --- Comment #19 from Katrin Fischer <katrin.fischer@bsz-bw.de> --- (In reply to Klas Blomberg from comment #18)
I don't want to be a party-pooper, but we are contemplating to file a bug for making both email and userID mandatory
The background for this: There has been a series of frauds in Sweden where the impostors have used the password recovery feature to deceive elderly people (80+ years)
All swedish libraries use the equivalent to social security numbers as userID. The impostors have somehow got a list of social security numbers, and enters them one after another in password recovery. When they see that an email is sent they call the patron, saying they are calling form the library and wants to help them with their password-problem The patron gets confused and is asked to open his/her electronicID - and if they do the impostors use it to transfer money from their bank-account. One patron in a suburb to Stockholm lost 40000€ this way. Therefore we think it's too easy to recover passwords in the opac.
By making both email and userID mandatory frauds like this will be next to impossible
Hi Klas, that's a real bad story. I am sorry to hear. I think requiring userid (with it accepting either cardnumber or username) + email would be OK for us. With your argument I am not sure if it needs to be configurable. -- You are receiving this mail because: You are watching all bug changes.