Re: Vulnerability in credit union's E-statement feature

[Scott Dier <dieman () ringworld org>]

* BlueJAMC <bluejamc () netzero net> [010901 11:11]:
> Please click on the following Link to retrieve your Credit Union
> Statement:
> https://www.siouxfallsfcu.org/servlet/com.sos.estatements.PreLogin?UName
> =12345-5&Month=8&Year=2001

> Well, at this point, I'm tired of waiting.  I do realize that, as Mr.
> Kavanaugh described above, that they are at the mercy of their vendor.
>
> Resolution:  Obviously this depends on the vendor.  However, the
> suggestion I gave initially was to use either a random number which

Possible solution:

USAA lets me recive multiple documents in PDF format via the web.  When
a new 'document' is given to me from them I recieve an email telling me
to go to 'www.usaa.com' and to login and check the documents section for
a new document.

I think this is an acceptable balance between account security and user
convenience.  It's unacceptable to have any sort of 'shortcut' to my
username in plaintext, IMO.

(On a side note, I'm pretty impressed with the amount of thought that
USAA has put into their web offerings, even when you change your
password you get a *snail mail* notice letting you know, just in case.
Of course, thats too slow. :) )

-- 
Scott Dier <dieman () ringworld org> <sdier () debian org>
http://www.ringworld.org/  #linuxos () irc openprojects net