t cht lk password , the attacker gains access through the federated account .
• Unexpired email change attack : Using this method , a cybercriminal generates an account using the victim ’ s email address without waiting for verification and then changes it to another one under their control . Then , if the victim tries to create an account , the attacker takes control of it before the email change process is completed .
• Email verification trick : Many online services do not allow an account to be created without verification by email . In this method , an attacker creates the account using an email address that is under their control , and then takes advantage of the ‘ change email ’ function by entering the victim ’ s email address . Therefore , when the user wants to create an account , they can start the change process but the attacker will have already compromised it .
Protecting against attacks
The most effective way to protect against these types of attacks is by implementing a strong multi-factor authentication ( MFA ) system . These systems explicitly identify users via an additional personal device such as a mobile phone or token .
It is also important for users to be aware of the tactics that are being used and the dangers of simply requesting a password change to an existing account when they can ’ t remember establishing it in the first place . As with any online activity , being vigilant at all times is key . p
The most effective way to protect against these types of attacks is by implementing a strong multi-factor authentication ( MFA ) system .