Re: Vulnerability in credit union's E-statement feature

[Hugo van der Kooij <hvdkooij () vanderkooij org>]

On Fri, 31 Aug 2001, BlueJAMC wrote:

> Obviously, the problem here is clear;  the account number is clear text.
> Of course, the link requires you to include a password.  However,
> considering the fact that most users the same password for
> everything--e-mail, e-statements, chatroom SNs, etc--the requirement to
> use a password is little consolation.  This, coupled with the fact that
> the individual branches for the credit union do not check for any type
> of identification other than a signature when making a withdrawl, makes
> this even more dangerous.

Any bank using plain username/password authentication should be avoided
at all costs! Such a design is painfully insecure. Any steady
username/password combination can be obtained and replayed over time.
It usually only takes a glance on the keyboard of someone typing his/her
password to get a good hunch. (recognize any name, carbrand, ....?)

I'm not aware of other country's specifications but in the Netherlands all
banks use some sort of one-time passwords. Most of them use the tokens
made by Vasco.

The security requires 3 items:
 - challenge generated by the server
 - physical access to the OTP generator. (stack 5 credit cards and you got
a picture of the size ;-)
 - pincode of the OTP
These generate a response that is unique and is send back to the server.

Hugo.

-- 
All email send to me is bound to the rules described on my homepage.
    hvdkooij () vanderkooij org         http://hvdkooij.xs4all.nl/
            Don't meddle in the affairs of sysadmins,
            for they are subtle and quick to anger.