WebApp Sec mailing list archives
Re: Question concerning Access Card
From: Richard Douglas García Rondon <ric-garc () uniandes edu co>
Date: Tue, 27 Apr 2004 19:01:16 -0500
Hi, The next link explains that method: http://szabo.best.vwh.net/secret.html the secret is the password. Chaoo, Richard G. Quoting Peter Conrad <conrad () tivano de>:
Hi, On Thu, Apr 22, 2004 at 08:27:12AM -0000, Adrian Wiesmann wrote:The Access Card which I search whitepapers and descriptions for looks like that classic game where two players try to sink each others ships on some matrix. It is nearly credit card sized and has letters on the x axis and numbers on the y axis building some matrix in the way like this example. The resulting fields then contain the passwords: ----a----b----c----d--- 1--111--358--274--245-- 2--212--978--852--973-- 3--123--234--963--245-- 4--568--866--123--156-- Now my question: Does anybody of you know this method to access online banking or other websites? Anybody an idea what kind of technology is behind this list (looks to me like the normal cancellation list only in another structure to not have to ship a new one after all items where used)?I don't know if that's the case here, but it looks like a simple way to make the handling of a very long PIN easier. E. g. I have an online bank account where I get asked for a random selection of digits from a longer PIN (e. g. "Please enter digits 3, 7 and 9 from your PIN"). I suppose in the above case you'd be asked "Please enter PIN b3", which is basically the same mechanism. IMO this does not add any real security. A powerful eavesdropper could reconstruct the Access Card by watching you login repeatedly. A casual eavesdropper who has seen only one question/response pair could wait until the same question is asked again and then use the known response. Bye, Peter -- Peter Conrad Tel: +49 6102 / 80 99 072 [ t]ivano Software GmbH Fax: +49 6102 / 80 99 071 Bahnhofstr. 18 http://www.tivano.de/ 63263 Neu-Isenburg Germany
-------------------------------------------------------------------------- Richard García Rondón. Ingeniero Electrónico, Escuela Naval "Almirante Padilla" Especialista en Telemática, Universidad de la Coruña,(España). Estudiante de Magister en Sistemas y Computación, Universidad de los Andes
Current thread:
- Question concerning Access Card Adrian Wiesmann (Apr 22)
- Re: Question concerning Access Card Peter Conrad (Apr 23)
- RE: Question concerning Access Card Lluis Mora (Apr 23)
- Re: Question concerning Access Card Richard Douglas García Rondon (Apr 28)
- Re: Question concerning Access Card Peter Conrad (Apr 30)
- Re: Question concerning Access Card Peter Conrad (Apr 23)