On Fri, 31 Aug 2001, BlueJAMC wrote: > Obviously, the problem here is clear; the account number is clear text. > Of course, the link requires you to include a password. However, > considering the fact that most users the same password for > everything--e-mail, e-statements, chatroom SNs, etc--the requirement to > use a password is little consolation. This, coupled with the fact that > the individual branches for the credit union do not check for any type > of identification other than a signature when making a withdrawl, makes > this even more dangerous. Any bank using plain username/password authentication should be avoided at all costs! Such a design is painfully insecure. Any steady username/password combination can be obtained and replayed over time. It usually only takes a glance on the keyboard of someone typing his/her password to get a good hunch. (recognize any name, carbrand, ....?) I'm not aware of other country's specifications but in the Netherlands all banks use some sort of one-time passwords. Most of them use the tokens made by Vasco. The security requires 3 items: - challenge generated by the server - physical access to the OTP generator. (stack 5 credit cards and you got a picture of the size ;-) - pincode of the OTP These generate a response that is unique and is send back to the server. Hugo. -- All email send to me is bound to the rules described on my homepage. hvdkooijat_private http://hvdkooij.xs4all.nl/ Don't meddle in the affairs of sysadmins, for they are subtle and quick to anger.
This archive was generated by hypermail 2b30 : Sun Sep 02 2001 - 11:53:33 PDT