On Fri, 31 Aug 2001, BlueJAMC wrote:
> Obviously, the problem here is clear; the account number is clear text.
> Of course, the link requires you to include a password. However,
> considering the fact that most users the same password for
> everything--e-mail, e-statements, chatroom SNs, etc--the requirement to
> use a password is little consolation. This, coupled with the fact that
> the individual branches for the credit union do not check for any type
> of identification other than a signature when making a withdrawl, makes
> this even more dangerous.
Any bank using plain username/password authentication should be avoided
at all costs! Such a design is painfully insecure. Any steady
username/password combination can be obtained and replayed over time.
It usually only takes a glance on the keyboard of someone typing his/her
password to get a good hunch. (recognize any name, carbrand, ....?)
I'm not aware of other country's specifications but in the Netherlands all
banks use some sort of one-time passwords. Most of them use the tokens
made by Vasco.
The security requires 3 items:
- challenge generated by the server
- physical access to the OTP generator. (stack 5 credit cards and you got
a picture of the size ;-)
- pincode of the OTP
These generate a response that is unique and is send back to the server.
Hugo.
--
All email send to me is bound to the rules described on my homepage.
hvdkooijat_private http://hvdkooij.xs4all.nl/
Don't meddle in the affairs of sysadmins,
for they are subtle and quick to anger.
This archive was generated by hypermail 2b30 : Sun Sep 02 2001 - 11:53:33 PDT