Hugo van der Kooij wrote: >On Fri, 31 Aug 2001, BlueJAMC wrote: > >>Obviously, the problem here is clear; the account number is clear text. >>Of course, the link requires you to include a password. However, >>considering the fact that most users the same password for >>everything--e-mail, e-statements, chatroom SNs, etc--the requirement to >>use a password is little consolation. This, coupled with the fact that >>the individual branches for the credit union do not check for any type >>of identification other than a signature when making a withdrawl, makes >>this even more dangerous. >> > >Any bank using plain username/password authentication should be avoided >at all costs! Such a design is painfully insecure. Any steady >username/password combination can be obtained and replayed over time. > Lovely sentiment (which I actually agree with) but it has the substantial problem that that means avoiding nearly all consumer banks. This makes the suggestion impractical to follow. This is characteristic of a lot of the problems of security in practice: the security professionals set the bar too high; so high that the people who have to operate in the field cannot reach it. The field operators quickly conclude that the sage security advice must be intended for "someone else", and then wander off and do whatever they think is best. The result is often horribly insecure practices like using social security numbers as authenticators. So lets try to keep it real. Reusable passwords are horrible security measures, and should be replaced with cryptographic tokens. HOWEVER, for many, if not most purposes, reusable passwords can provide an acceptable level of security, especially when combined with cryptographic tunneling technologies like SSL or SSH. Save the "avoid at all costs" alarm for truly bone-head moves like non-SSL reusable passwords or social security number authenticators. Crispin -- Crispin Cowan, Ph.D. Chief Scientist, WireX Communications, Inc. http://wirex.com Security Hardened Linux Distribution: http://immunix.org Available for purchase: http://wirex.com/Products/Immunix/purchase.html
This archive was generated by hypermail 2b30 : Sun Sep 02 2001 - 22:41:01 PDT