tl;dr: When building a web site, NEVER create a reset password flow that asks security questions. Always send an e-mail with reset instructions.
In a paper for IEEE Security, researchers from Cyberpion and Israel’s College of Management Academic Studies describe a “Password Reset Man-in-the-Middle Attack” that leverages a bunch of clever insights into how password resets work to steal your email account (and other kinds of accounts), even when it’s protected by two-factor authentication.
Here’s the basics: the attacker gets you to sign up for an account for their website (maybe it’s a site that gives away free personality tests or whatever). The sign-up process presents a series of prompts for the signup, starting with your email address.
As soon as the attacker has your email address, a process on their server logs into your email provider as you and initiates an “I’ve lost access to my email” password reset process.
From then on, every question in your signup process for the attacker’s service is actually a password reset question from your email provider. For example, if your email provider is known to text your phone with a PIN as part of the process, the attacker prompts you for your phone number, then says, “I’ve just texted you a PIN, please enter it now.” You enter the PIN, and the attacker passes that PIN to your email provider.
Same goes for “security questions” like “What street did you live on when you were a kid?” The email provider asks the attacker these questions, the attacker asks you the questions for the signup process, and then uses your answers to impersonate you to the email provider.
This has some serious consequences with account sign-up and password reset flows that do not involve a secondary channel, such as sending an e-mail or replying to an SMS message.
Note that this attack is insidious because it appears you’re answering questions on a third party web site, as that third party is using your answers to attack a trusted bank account.