Re: Vulnerability in credit union's E-statement feature

From: Crispin Cowan (crispinat_private)
Date: Sun Sep 02 2001 - 14:16:29 PDT

Next message: Frank Tobin: "S/Key keyinit(1) authentication (lack thereof) + sudo(1)"

Previous message: Рягин Михаил Юрьевич: "RE: Programmer claims MS eBook Reader Cracked"
In reply to: Hugo van der Kooij: "Re: Vulnerability in credit union's E-statement feature"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hugo van der Kooij wrote:

>On Fri, 31 Aug 2001, BlueJAMC wrote:
>
>>Obviously, the problem here is clear;  the account number is clear text.
>>Of course, the link requires you to include a password.  However,
>>considering the fact that most users the same password for
>>everything--e-mail, e-statements, chatroom SNs, etc--the requirement to
>>use a password is little consolation.  This, coupled with the fact that
>>the individual branches for the credit union do not check for any type
>>of identification other than a signature when making a withdrawl, makes
>>this even more dangerous.
>>
>
>Any bank using plain username/password authentication should be avoided
>at all costs! Such a design is painfully insecure. Any steady
>username/password combination can be obtained and replayed over time.
>
Lovely sentiment (which I actually agree with) but it has the 
substantial problem that that means avoiding nearly all consumer banks. 
 This makes the suggestion impractical to follow.

This is characteristic of a lot of the problems of security in practice: 
the security professionals set the bar too high; so high that the people 
who have to operate in the field cannot reach it.  The field operators 
quickly conclude that the sage security advice must be intended for 
"someone else", and then wander off and do whatever they think is best. 
The result is often horribly insecure practices like using social 
security numbers as authenticators.

So lets try to keep it real.  Reusable passwords are horrible security 
measures, and should be replaced with cryptographic tokens.  HOWEVER, 
for many, if not most purposes, reusable passwords can provide an 
acceptable level of security, especially when combined with 
cryptographic tunneling technologies like SSL or SSH.  Save the "avoid 
at all costs" alarm for truly bone-head moves like non-SSL reusable 
passwords or social security number authenticators.

Crispin

-- 
Crispin Cowan, Ph.D.
Chief Scientist, WireX Communications, Inc. http://wirex.com
Security Hardened Linux Distribution:       http://immunix.org
Available for purchase: http://wirex.com/Products/Immunix/purchase.html

Next message: Frank Tobin: "S/Key keyinit(1) authentication (lack thereof) + sudo(1)"
Previous message: Рягин Михаил Юрьевич: "RE: Programmer claims MS eBook Reader Cracked"
In reply to: Hugo van der Kooij: "Re: Vulnerability in credit union's E-statement feature"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun Sep 02 2001 - 22:41:01 PDT