[derda]

For Packstation they had some serious problems with phishing. At first you only needed your Packstation User Number and the PIN. They then disallowed logins with user number and required the membership card. But it seems they started skimming those, so starting from last month they send you a TAN to your cellphone when the package arrives and you need card+TAN.

From what I see Bufferbox right now only has a few locations, for Packstation its over 2500 locations and a wide userbase, as with software: the wider the user-base the bigger the profit for bad guys.

[Evbn]

Amazon and Bufferbox did the sensible thing from the start: one time use access codes.

[derda]

Via email. Not very hard to hack.

[abraham]

If you email is hacked you likely have bigger problems than a package or two going missing.

[ctz]

Email transport is done in plaintext on the public internet -- it provides no confidentiality or integrity.

[AhtiK]

Most e-mail users are using browser-based e-mail clients over HTTPS so in order to access the plaintext email one needs to tap the senders local network which would only work if the sender is not using an HTTPS webmail. Plaintext public internet attacks for email were more common when people used unsecured POP3 and IMAP.

[gabemart]

How long is the code? What happens if I approach a bufferbox in the middle of the night and try to brute force a TAN?

[VMG]

Wouldn't be much of a problem with exponential backoff time and even a 6-digit pin.