According to the Alipay
big loophole, Alipay responded that currently only in the user’s own mobile phone, to the recent purchase of goods and recognition through the recognition of my other friends to retrieve password, through other mobile phone equipment can not use this way to retrieve the password.
at the same time, Alipay said, after receiving the users reflect in its, improves the safety level of the wind control system.
today, Alipay users broke the existence of a new vulnerability, a stranger has a 1/5 chance to login to your Alipay, and even acquaintances 100% can login to your alipay. According to the online version, the vulnerability principle is this: mobile phone account login – forgot password: mobile phone is not around, Taobao bought something 9 pictures 1 — 9 friends friends verification 1 – successful login. Then you can directly scan the two-dimensional code payment without a password. (end)
is Alipay’s official response:
users reflect, said can be identified by friends, identify the recent purchase of goods, Alipay login password to retrieve.
this way only in certain circumstances will be achieved. Under normal circumstances, the user to retrieve the login password at least need to enter the SMS verification code. For some users can not receive text messages or mobile devices to replace the user, we will be the first assessment of the risk control system (such as account information integrity, network environment and other factors). In the case of high safety factor, only to allow users to answer a series of security problems, only after the correct answer to modify the login password.
this strategy can only retrieve the login password, only by answering the security issues and can not retrieve the payment password. And once the users of Alipay in other equipment is logged in, I will receive notification of equipment.
in order to better enhance the user’s sense of security, after receiving the user to reflect, we further enhance the security level of the wind control system this morning. Currently only on the user’s own mobile phone, in order to identify the recent purchase of goods and identify my friends to recover the login password, through other mobile devices can not be applied to retrieve the password in this way.
we also welcome users to continue to put forward comments and suggestions on our security strategy, we will be based on the feedback to further improve and correct.