Bugtraq mailing list archives
Re: Statistical Attack Against Virtual Banks
From: andre () CS UCSB EDU (Andre L. Dos Santos)
Date: Tue, 8 Feb 2000 23:57:35 -0800
On Wed, 9 Feb 2000, Swift Griggs wrote:
On Tue, 8 Feb 2000, Andre L. Dos Santos wrote:Many Virtual Banks rely on a fixed length personal identification number (PIN) to identify a user. Some banks, allow access to all of their online operations after a successful identification, others require additional identification, like social security number, maiden name or an additional PIN.You don't mention x509 authentication in your analysis at all. IMHO, your not doing anything here other than bringing up the age old technique of brute forcing weak passwords in a circuitous way.
Users want systems that are user-friendly. Banks wants to maximize the numbers of users using their online services. Requiring x509 client certificates go against both desires (at least for the average users). But it could improve the protections, if all issues with certificates are not considered. I do not include this in the note because I have not seen a bank that requires client x509. Any pointers are welcome. Andre.
Current thread:
- Re: DDOS Attack Mitigation, (continued)
- Re: DDOS Attack Mitigation Darren Reed (Feb 14)
- "Association of Responsible Internet Providers"? David Nesting (Feb 15)
- Re: DDOS Attack Mitigation Andreas Busse (Feb 15)
- Re: Evil Cookies. Ari Gordon-Schlosberg (Feb 08)
- Re: Evil Cookies. Michael Bryan (Feb 08)
- Statistical Attack Against Virtual Banks Andre L. Dos Santos (Feb 08)
- Re: Statistical Attack Against Virtual Banks HC Security (Feb 08)
- Re: Statistical Attack Against Virtual Banks Andre L. Dos Santos (Feb 08)
- Re: Statistical Attack Against Virtual Banks HC Security (Feb 09)
- Re: Statistical Attack Against Virtual Banks Swift Griggs (Feb 09)
- Re: Statistical Attack Against Virtual Banks Andre L. Dos Santos (Feb 08)
- SCO OpenServer SNMPD vulnerability NAI Labs (Feb 07)
- Re: Tempfile vulnerabilities Werner Koch (Feb 02)
- Re: Tempfile vulnerabilities Chris Cappuccio (Feb 03)
- Cross Site Scripting security issue Robert Zilbauer (Feb 02)
- Re: Tempfile vulnerabilities Len Budney (Feb 03)
- Re: Tempfile vulnerabilities antirez (Feb 05)
- Re: Tempfile vulnerabilities Ian Turner (Feb 07)
- Re: Tempfile vulnerabilities Seth David Schoen (Feb 07)
- Remote access vulnerability in all MySQL server versions Robert van der Meulen (Feb 08)
- don't run random "exploit" code Marc Slemko (Feb 08)