RE: Bank Of Montreal Online Security

["Alexander A. Kelner" <a.kelner () noc brsi ru>]

> From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
> Behalf Of mrtolton () gmail com
> Sent: Friday, October 26, 2012 2:08 PM
> To: security-basics () securityfocus com
> Subject: Bank Of Montreal Online Security
>
> It's come to my attention that the Bank Of Montreal online security is
> shockingly lax. First of all regardless of your password length, it only
> cares about the first six characters. Even more insane is it doesn't matter
> what case of the letters are, it will allow you access all the same.
>
> On top of this, theres a bug in the iPhone app which will not allow you to
> unsave your card number.
>
> Its a good thing they guarantee 100% of your money against fraudulent
> transfers, because its only a matter of time.

Hello.

IMHO "shockingly laxity" is not as obvious as it may appear at first
approach.

Six chars give us about (26+10)^6=2 billions of possible passwords.
If their server is smart enough to allow as low as 1 authentication attempt
per second for the same account then you will spend some hundreds years
trying to brute force it.

BUT! The short password can be easy memorized, when the long password must
be recorded somewhere (sometimes in very inappropriate place), and then may
be stolen. Which password length is more secure - that is a question.



> ------------------------------------------------------------------------
> Securing Apache Web Server with thawte Digital Certificate In this guide we
> examine the importance of Apache-SSL and who needs an SSL certificate.  We
> look at how SSL works, how it benefits your company and how your customers
> can tell if a site is secure. You will find out how to test, purchase,
> install and use a thawte Digital Certificate on your Apache web server.
> Throughout, best practices for set-up are highlighted to help you ensure
> efficient ongoing management of your encryption keys and digital
> certificates.
>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727
> d1
> ------------------------------------------------------------------------
>
>
> ------------------------------------------------------------------------
> Securing Apache Web Server with thawte Digital Certificate
> In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
> it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
> install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
> highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.
>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
> ------------------------------------------------------------------------


---
Alexander A. Kelner
Senior engineer
CT Network Operation Center
RosTelecom - Bryansk

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------