Bugtraq mailing list archives

Re: Vulnerability in credit union's E-statement feature

From: Crispin Cowan <crispin () wirex com>
Date: Sun, 02 Sep 2001 14:16:29 -0700

Hugo van der Kooij wrote:

On Fri, 31 Aug 2001, BlueJAMC wrote:

Obviously, the problem here is clear;  the account number is clear text.
Of course, the link requires you to include a password.  However,
considering the fact that most users the same password for
everything--e-mail, e-statements, chatroom SNs, etc--the requirement to
use a password is little consolation.  This, coupled with the fact that
the individual branches for the credit union do not check for any type
of identification other than a signature when making a withdrawl, makes
this even more dangerous.


Any bank using plain username/password authentication should be avoided
at all costs! Such a design is painfully insecure. Any steady
username/password combination can be obtained and replayed over time.

Lovely sentiment (which I actually agree with) but it has thesubstantial problem that that means avoiding nearly all consumer banks.This makes the suggestion impractical to follow.

This is characteristic of a lot of the problems of security in practice:the security professionals set the bar too high; so high that the peoplewho have to operate in the field cannot reach it. The field operatorsquickly conclude that the sage security advice must be intended for"someone else", and then wander off and do whatever they think is best.The result is often horribly insecure practices like using socialsecurity numbers as authenticators.

So lets try to keep it real. Reusable passwords are horrible securitymeasures, and should be replaced with cryptographic tokens. HOWEVER,for many, if not most purposes, reusable passwords can provide anacceptable level of security, especially when combined withcryptographic tunneling technologies like SSL or SSH. Save the "avoidat all costs" alarm for truly bone-head moves like non-SSL reusablepasswords or social security number authenticators.


Crispin

--
Crispin Cowan, Ph.D.
Chief Scientist, WireX Communications, Inc. http://wirex.com
Security Hardened Linux Distribution:       http://immunix.org
Available for purchase: http://wirex.com/Products/Immunix/purchase.html

Current thread:

Vulnerability in credit union's E-statement feature BlueJAMC (Sep 01)
- Re: Vulnerability in credit union's E-statement feature Scott Dier (Sep 02)
- Re: Vulnerability in credit union's E-statement feature Hugo van der Kooij (Sep 02)
  - Re: Vulnerability in credit union's E-statement feature Crispin Cowan (Sep 02)