> >(...) Therefore, it is a wide spread > >practice to use 4 or 6 digit PINs. Because of the small length of the PINs > >an attacker can target a particular account and try all possibilities. In > >order to defend against this class of attacks, banks usually lock out > >accounts after a certain number of unsuccessful identification attempts. I don't know what is the case in California, but I don't think I can emphasise heavily enough how immensely stupid it is to rely _solely_ on a 4 (or 6) digit PIN for full access to the bank account. How come, when there are so many other easy-to-implement solutions which are way better when it comes to security? To use the same code day after day on the same website...... that statistical attack is perhaps not the worst, what if someone snooped your traffic or logged on to your win98 computer and simply retrieved your PIN? Here in Norway I don't know of _any_ "virtual bank" which doesn't _at least_ use one-time passwords, or so-called digipasses (the user types his PIN on an small, personal calculator-type device which returns a 6 digit code to use for authentication in the virtual bank - this code expires after 15 min or so). > >Some banks use alphanumeric characters for authentication. An attacker can > >use dictionary words, instead of numbers, in this case to attack these > >banks. Mensch! -- Regards, Snorre Haugnes HC Security
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:33:57 PDT