Password to registered e-mail does not solve the problem.
"The call centre staff shouldn't have access to your password either, if you forget it they should simply email a new one (auto-generated, again they have no access) to your already registered email address (which with the above can't be changed).
Problem solved."
I wasn't aware it was illegal to hold CVV but the problem is more complex than this and simply sending to a registered e-mail address doesn't solve the problem.
The fact is, people lose access to their e-mail addresses, if my ISP cuts me off for missing a bill, by accident or for breaking non-advertised AUPs or some other reason then I could very well also lose access to my e-mail address. As such there has to be a way to get my e-mail address changed.
You also have to cater for the eventuality that someone may lose their e-mail address AND their password - say someone had to work abroad for 6months it's feasible in this type they may have dropped/lost their e-mail address and also forgotten their password.
As such social engineers can still attack the lost e-mail address or lost e-mail address and password methods that companies have to employee if the lost password facility by itself is secure in the way you mention.
You can't even guarantee someone's home address is still the same either, I have witnessed first hand a scenario where all this is relevant, Dark Age of Camelot, European servers. They had their network hacked and as such locked down the service and sent passwords out to people's registered e-mail addresses, not everyone still had their address so they offered to send out to home addresses via snail mail but still some users had changed their home addresses. I'm not sure what their final solution is, being arguably the most incompetent of companies ever they undoubtedly just told these people to go f*ck themselves, but that's besides the point.
There has to be a balance between security and recoverability, the key is to have multiple layers of authentication when people want to reset certain details and the security questions are those layers of detail. The problem is they're being abused, and things like "Where were you born" which are easily guessable are being used. Ideally questions that are a lot more personal such that likely only the correct user might know them are a better bet, whilst "Who was the ugliest bird you ever shagged" might be a good bet as few people will admit it in public we don't necessarily have to have things that are embarrassingly personal even things like "How many months old was your son/daughter when they first learned to walk", "What was your favourite furry toy as a child", "Who was your favourite TV show character when you were young" or even possibly "Whats your all time favourite film". Stuff that's simply not quite so guessable - a combination of 3/4 of this should do the trick in 99% of cases as it's unlikely someone on the internet could ever guess them and certainly pretty much never guess all 4.
Register
Password to registered e-mail does not solve the problem.
"The call centre staff shouldn't have access to your password either, if you forget it they should simply email a new one (auto-generated, again they have no access) to your already registered email address (which with the above can't be changed).
Problem solved."
I wasn't aware it was illegal to hold CVV but the problem is more complex than this and simply sending to a registered e-mail address doesn't solve the problem.
The fact is, people lose access to their e-mail addresses, if my ISP cuts me off for missing a bill, by accident or for breaking non-advertised AUPs or some other reason then I could very well also lose access to my e-mail address. As such there has to be a way to get my e-mail address changed.
You also have to cater for the eventuality that someone may lose their e-mail address AND their password - say someone had to work abroad for 6months it's feasible in this type they may have dropped/lost their e-mail address and also forgotten their password.
As such social engineers can still attack the lost e-mail address or lost e-mail address and password methods that companies have to employee if the lost password facility by itself is secure in the way you mention.
You can't even guarantee someone's home address is still the same either, I have witnessed first hand a scenario where all this is relevant, Dark Age of Camelot, European servers. They had their network hacked and as such locked down the service and sent passwords out to people's registered e-mail addresses, not everyone still had their address so they offered to send out to home addresses via snail mail but still some users had changed their home addresses. I'm not sure what their final solution is, being arguably the most incompetent of companies ever they undoubtedly just told these people to go f*ck themselves, but that's besides the point.
There has to be a balance between security and recoverability, the key is to have multiple layers of authentication when people want to reset certain details and the security questions are those layers of detail. The problem is they're being abused, and things like "Where were you born" which are easily guessable are being used. Ideally questions that are a lot more personal such that likely only the correct user might know them are a better bet, whilst "Who was the ugliest bird you ever shagged" might be a good bet as few people will admit it in public we don't necessarily have to have things that are embarrassingly personal even things like "How many months old was your son/daughter when they first learned to walk", "What was your favourite furry toy as a child", "Who was your favourite TV show character when you were young" or even possibly "Whats your all time favourite film". Stuff that's simply not quite so guessable - a combination of 3/4 of this should do the trick in 99% of cases as it's unlikely someone on the internet could ever guess them and certainly pretty much never guess all 4.