Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Statistical Attack Against Virtual Banks

From: andre () CS UCSB EDU (Andre L. Dos Santos)
Date: Tue, 8 Feb 2000 23:57:35 -0800

On Wed, 9 Feb 2000, Swift  Griggs wrote:


On Tue, 8 Feb 2000, Andre L. Dos Santos wrote:

Many Virtual Banks rely on a fixed length personal identification
number (PIN) to identify a user. Some banks, allow access to all of
their online operations after a successful identification, others
require additional identification, like social security number, maiden
name or an additional PIN.


You don't mention x509 authentication in your analysis at all. IMHO, your
not doing anything here other than bringing up the age old technique of
brute forcing weak passwords in a circuitous way.



  Users want systems that are user-friendly. Banks wants to maximize the
numbers of users using their online services. Requiring x509 client
certificates go against both desires (at least for the average users). But
it could improve the protections, if all issues with certificates are not
considered. I do not include this in the note because I have not seen a
bank that requires client x509. Any pointers are welcome.

  Andre.
Previous By Date Next
Previous By Thread Next

Current thread: