Bugtraq mailing list archives
Re: Statistical Attack Against Virtual Banks
From: securit () ONLINE NO (HC Security)
Date: Wed, 9 Feb 2000 09:06:10 +0100
Here in Norway I don't know of _any_ "virtual bank" which doesn't _at least_ use one-time passwords, or so-called digipasses (the user types his PIN on an small, personal calculator-type device which returns a 6 digit code to use for authentication in the virtual bank - this code expires after 15 min or so).I don't see why this is better than a PIN, unless it is a separated device (with the overhead of the user having to carry this token). In addition, if I know how the device generates the code from the PIN, this only represents an extra step in the attack.
I was a little quick there. The one-time passwords (numbers) and digipasses won't appear more secure when it comes to the statistical attack. However, they drastically improve the security for the individual user as it prevents or hinder other types of attacks/hacks. Also, each digipass are hardcoded so they generate the key differently. What's more of a problem is the banks tendency to choose too short public/private keys (512/40 is common). -- Regards, Snorre Haugnes HC Security
Current thread:
- Re: DDOS Attack Mitigation, (continued)
- Re: DDOS Attack Mitigation Homer Wilson Smith (Feb 14)
- Re: DDOS Attack Mitigation Andrzej Bialecki (Feb 14)
- Re: DDOS Attack Mitigation Darren Reed (Feb 14)
- "Association of Responsible Internet Providers"? David Nesting (Feb 15)
- Re: DDOS Attack Mitigation Andreas Busse (Feb 15)
- Re: Evil Cookies. Ari Gordon-Schlosberg (Feb 08)
- Re: Evil Cookies. Michael Bryan (Feb 08)
- Statistical Attack Against Virtual Banks Andre L. Dos Santos (Feb 08)
- Re: Statistical Attack Against Virtual Banks HC Security (Feb 08)
- Re: Statistical Attack Against Virtual Banks Andre L. Dos Santos (Feb 08)
- Re: Statistical Attack Against Virtual Banks HC Security (Feb 09)
- Re: Statistical Attack Against Virtual Banks Swift Griggs (Feb 09)
- Re: Statistical Attack Against Virtual Banks Andre L. Dos Santos (Feb 08)
- SCO OpenServer SNMPD vulnerability NAI Labs (Feb 07)
- Re: Tempfile vulnerabilities Werner Koch (Feb 02)
- Re: Tempfile vulnerabilities Chris Cappuccio (Feb 03)
- Cross Site Scripting security issue Robert Zilbauer (Feb 02)
- Re: Tempfile vulnerabilities Len Budney (Feb 03)
- Re: Tempfile vulnerabilities antirez (Feb 05)
- Re: Tempfile vulnerabilities Ian Turner (Feb 07)
- Re: Tempfile vulnerabilities Seth David Schoen (Feb 07)