[Evbn]

Amazon and Bufferbox did the sensible thing from the start: one time use access codes.

[derda]

Via email. Not very hard to hack.

[abraham]

If you email is hacked you likely have bigger problems than a package or two going missing.

[ctz]

Email transport is done in plaintext on the public internet -- it provides no confidentiality or integrity.

[AhtiK]

Most e-mail users are using browser-based e-mail clients over HTTPS so in order to access the plaintext email one needs to tap the senders local network which would only work if the sender is not using an HTTPS webmail. Plaintext public internet attacks for email were more common when people used unsecured POP3 and IMAP.

[gabemart]

How long is the code? What happens if I approach a bufferbox in the middle of the night and try to brute force a TAN?

[VMG]

Wouldn't be much of a problem with exponential backoff time and even a 6-digit pin.