Bugtraq mailing list archives
Re: [Full-Disclosure] Clear text password exposure in Datakey's tokens and smartcards
From: "Kevin Sheldrake" <kev () electriccat co uk>
Date: Fri, 06 Aug 2004 12:31:11 +0100
Not unless the card is stolen and the owner either doesn't notice immediately or doesn't report it immediately. How many people will turn up at work (for instance) claiming to have 'forgotton' their card rather than report it lost, on the off chance they have actually misplaced it? If the keys give access to money, reputation, authority or the like then perhaps the size of the exposure window is important?
Kev
Perhaps I'm missing something here. As far as I can tell, no keys located on the card were compromised, only the PIN was. Since this is a two factor authentication system, possession of the PIN is of little value without possession of the token itself.Am I missing the point here? regards, -lee
-- Kevin Sheldrake MEng MIEE CEng CISSP Electric Cat (Bournemouth) Ltd
Current thread:
- Clear text password exposure in Datakey's tokens and smartcards vuln (Aug 04)
- Re: [Full-Disclosure] Clear text password exposure in Datakey's tokens and smartcards Lionel Ferette (Aug 04)
- Re: [Full-Disclosure] Clear text password exposure in Datakey's tokens and smartcards Toomas Soome (Aug 04)
- Re: [Full-Disclosure] Clear text password exposure in Datakey's tokens and smartcards Kevin Sheldrake (Aug 05)
- Re: [Full-Disclosure] Clear text password exposure in Datakey's tokens and smartcards Seth Breidbart (Aug 06)
- Re: [Full-Disclosure] Clear text password exposure in Datakey's tokens and smartcards Lee Dilkie (Aug 05)
- Re: [Full-Disclosure] Clear text password exposure in Datakey's tokens and smartcards Kevin Sheldrake (Aug 06)
- Re: [Full-Disclosure] Clear text password exposure in Datakey's tokens and smartcards Toomas Soome (Aug 04)
- Re: [Full-Disclosure] Clear text password exposure in Datakey's tokens and smartcards Lionel Ferette (Aug 04)