Bugtraq mailing list archives
Re: Vulnerability in credit union's E-statement feature
From: Hugo van der Kooij <hvdkooij () vanderkooij org>
Date: Sat, 1 Sep 2001 20:34:23 +0200 (CEST)
On Fri, 31 Aug 2001, BlueJAMC wrote:
Obviously, the problem here is clear; the account number is clear text. Of course, the link requires you to include a password. However, considering the fact that most users the same password for everything--e-mail, e-statements, chatroom SNs, etc--the requirement to use a password is little consolation. This, coupled with the fact that the individual branches for the credit union do not check for any type of identification other than a signature when making a withdrawl, makes this even more dangerous.
Any bank using plain username/password authentication should be avoided at all costs! Such a design is painfully insecure. Any steady username/password combination can be obtained and replayed over time. It usually only takes a glance on the keyboard of someone typing his/her password to get a good hunch. (recognize any name, carbrand, ....?) I'm not aware of other country's specifications but in the Netherlands all banks use some sort of one-time passwords. Most of them use the tokens made by Vasco. The security requires 3 items: - challenge generated by the server - physical access to the OTP generator. (stack 5 credit cards and you got a picture of the size ;-) - pincode of the OTP These generate a response that is unique and is send back to the server. Hugo. -- All email send to me is bound to the rules described on my homepage. hvdkooij () vanderkooij org http://hvdkooij.xs4all.nl/ Don't meddle in the affairs of sysadmins, for they are subtle and quick to anger.
Current thread:
- Vulnerability in credit union's E-statement feature BlueJAMC (Sep 01)
- Re: Vulnerability in credit union's E-statement feature Scott Dier (Sep 02)
- Re: Vulnerability in credit union's E-statement feature Hugo van der Kooij (Sep 02)
- Re: Vulnerability in credit union's E-statement feature Crispin Cowan (Sep 02)