WebApp Sec mailing list archives

Re: Question concerning Access Card

From: Richard Douglas García Rondon <ric-garc () uniandes edu co>
Date: Tue, 27 Apr 2004 19:01:16 -0500

Hi, 

The next link explains that method:

http://szabo.best.vwh.net/secret.html

the secret is the password.

Chaoo,

Richard G.

Quoting Peter Conrad <conrad () tivano de>:

Hi,

On Thu, Apr 22, 2004 at 08:27:12AM -0000, Adrian Wiesmann wrote:


The Access Card which I search whitepapers and descriptions for looks like
that classic game where two players try to sink each others ships on some
matrix. It is nearly credit card sized and has letters on the x axis and
numbers on the y axis building some matrix in the way like this example.
The resulting fields then contain the passwords:

----a----b----c----d---
1--111--358--274--245--
2--212--978--852--973--
3--123--234--963--245--
4--568--866--123--156--

Now my question: Does anybody of you know this method to access online
banking or other websites? Anybody an idea what kind of technology is
behind this list (looks to me like the normal cancellation list only in
another structure to not have to ship a new one after all items where
used)?


I don't know if that's the case here, but it looks like a simple way
to make the handling of a very long PIN easier. E. g. I have an online
bank account where I get asked for a random selection of digits from a
longer PIN (e. g. "Please enter digits 3, 7 and 9 from your PIN"). I
suppose in the above case you'd be asked "Please enter PIN b3", which
is basically the same mechanism.

IMO this does not add any real security. A powerful eavesdropper could
reconstruct the Access Card by watching you login repeatedly. A casual
eavesdropper who has seen only one question/response pair could wait until
the same question is asked again and then use the known response.

Bye,
      Peter
-- 
Peter Conrad                        Tel: +49 6102 / 80 99 072
[ t]ivano Software GmbH             Fax: +49 6102 / 80 99 071
Bahnhofstr. 18                      http://www.tivano.de/
63263 Neu-Isenburg

Germany



--------------------------------------------------------------------------
Richard García Rondón.
Ingeniero Electrónico, Escuela Naval "Almirante Padilla"
Especialista en Telemática, Universidad de la Coruña,(España).
Estudiante de Magister en Sistemas y Computación, Universidad de los Andes

Current thread:

Question concerning Access Card Adrian Wiesmann (Apr 22)
- Re: Question concerning Access Card Peter Conrad (Apr 23)
  - RE: Question concerning Access Card Lluis Mora (Apr 23)
  - Re: Question concerning Access Card Richard Douglas García Rondon (Apr 28)
    - Re: Question concerning Access Card Peter Conrad (Apr 30)