Bugtraq mailing list archives
Re: Vulnerability in credit union's E-statement feature
From: Crispin Cowan <crispin () wirex com>
Date: Sun, 02 Sep 2001 14:16:29 -0700
Hugo van der Kooij wrote:
Lovely sentiment (which I actually agree with) but it has the substantial problem that that means avoiding nearly all consumer banks. This makes the suggestion impractical to follow.On Fri, 31 Aug 2001, BlueJAMC wrote:Obviously, the problem here is clear; the account number is clear text. Of course, the link requires you to include a password. However, considering the fact that most users the same password for everything--e-mail, e-statements, chatroom SNs, etc--the requirement to use a password is little consolation. This, coupled with the fact that the individual branches for the credit union do not check for any type of identification other than a signature when making a withdrawl, makes this even more dangerous.Any bank using plain username/password authentication should be avoided at all costs! Such a design is painfully insecure. Any steady username/password combination can be obtained and replayed over time.
This is characteristic of a lot of the problems of security in practice: the security professionals set the bar too high; so high that the people who have to operate in the field cannot reach it. The field operators quickly conclude that the sage security advice must be intended for "someone else", and then wander off and do whatever they think is best. The result is often horribly insecure practices like using social security numbers as authenticators.
So lets try to keep it real. Reusable passwords are horrible security measures, and should be replaced with cryptographic tokens. HOWEVER, for many, if not most purposes, reusable passwords can provide an acceptable level of security, especially when combined with cryptographic tunneling technologies like SSL or SSH. Save the "avoid at all costs" alarm for truly bone-head moves like non-SSL reusable passwords or social security number authenticators.
Crispin -- Crispin Cowan, Ph.D. Chief Scientist, WireX Communications, Inc. http://wirex.com Security Hardened Linux Distribution: http://immunix.org Available for purchase: http://wirex.com/Products/Immunix/purchase.html
Current thread:
- Vulnerability in credit union's E-statement feature BlueJAMC (Sep 01)
- Re: Vulnerability in credit union's E-statement feature Scott Dier (Sep 02)
- Re: Vulnerability in credit union's E-statement feature Hugo van der Kooij (Sep 02)
- Re: Vulnerability in credit union's E-statement feature Crispin Cowan (Sep 02)