On Wed, 9 Feb 2000, HC Security wrote: > > > >(...) Therefore, it is a wide spread > > >practice to use 4 or 6 digit PINs. Because of the small length of the PINs > > >an attacker can target a particular account and try all possibilities. In > > >order to defend against this class of attacks, banks usually lock out > > >accounts after a certain number of unsuccessful identification attempts. > > I don't know what is the case in California, but I don't think I can > emphasise heavily enough how immensely stupid it is to rely _solely_ on a 4 > (or 6) digit PIN for full access to the bank account. How come, when there > are so many other easy-to-implement solutions which are way better when it > comes to security? To use the same code day after day on the same > website...... that statistical attack is perhaps not the worst, what if > someone snooped your traffic or logged on to your win98 computer and simply > retrieved your PIN? > How are you going to snoop a PIN code that is not stored localy and is transmitted using SSL or a java applet using encryption? Anyway, if I have access to a win98 computer I can do many nasty things... > Here in Norway I don't know of _any_ "virtual bank" which doesn't _at > least_ use one-time passwords, or so-called digipasses (the user types his > PIN on an small, personal calculator-type device which returns a 6 digit > code to use for authentication in the virtual bank - this code expires > after 15 min or so). I don't see why this is better than a PIN, unless it is a separated device (with the overhead of the user having to carry this token). In addition, if I know how the device generates the code from the PIN, this only represents an extra step in the attack. > > > >Some banks use alphanumeric characters for authentication. An attacker can > > >use dictionary words, instead of numbers, in this case to attack these > > >banks. > > Mensch! > > -- > Regards, > > Snorre Haugnes > HC Security > Cheers, Andre.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:34:02 PDT