Bugtraq mailing list archives

Re: Statistical Attack Against Virtual Banks

From: andre () CS UCSB EDU (Andre L. Dos Santos)
Date: Tue, 8 Feb 2000 23:38:05 -0800


On Wed, 9 Feb 2000, HC Security wrote:

(...) Therefore, it is a wide spread
practice to use 4 or 6 digit PINs. Because of the small length of the PINs
an attacker can target a particular account and try all possibilities. In
order to defend against this class of attacks, banks usually lock out
accounts after a certain number of unsuccessful identification attempts.


I don't know what is the case in California, but I don't think I can
emphasise heavily enough how immensely stupid it is to rely _solely_ on a 4
(or 6) digit PIN  for full access to the bank account. How come, when there
are so many other easy-to-implement solutions which are way better when it
comes to security? To use the same code day after day on the same
website...... that statistical attack is perhaps not the worst, what if
someone snooped your traffic or logged on to your win98 computer and simply
retrieved your PIN?


  How are you going to snoop a PIN code that is not stored localy and
is transmitted using SSL or a java applet using encryption? Anyway, if I
have access to a win98 computer I can do many nasty things...

Here in Norway I don't know of _any_ "virtual bank" which doesn't _at
least_ use one-time passwords, or so-called digipasses (the user types his
PIN on an small, personal calculator-type device which returns a 6 digit
code to use for authentication in the virtual bank - this code expires
after 15 min or so).


  I don't see why this is better than a PIN, unless it is a separated
device (with the overhead of the user having to carry this token). In
addition, if I know how the device generates the code from the PIN, this
only represents an extra step in the attack.

Some banks use alphanumeric characters for authentication. An attacker can
use dictionary words, instead of numbers, in this case to attack these
banks.


Mensch!

--
Regards,

Snorre Haugnes
HC Security


  Cheers,

  Andre.

Current thread:

rp_filter? (was Re: DDOS Attack Mitigation), (continued)
- - - rp_filter? (was Re: DDOS Attack Mitigation) Julien Nadeau (Feb 18)
    - Re: DDOS Attack Mitigation Homer Wilson Smith (Feb 14)
    - Re: DDOS Attack Mitigation Andrzej Bialecki (Feb 14)
    - Re: DDOS Attack Mitigation Darren Reed (Feb 14)
    - "Association of Responsible Internet Providers"? David Nesting (Feb 15)
    - Re: DDOS Attack Mitigation Andreas Busse (Feb 15)
    - Re: Evil Cookies. Ari Gordon-Schlosberg (Feb 08)
    - Re: Evil Cookies. Michael Bryan (Feb 08)
    - Statistical Attack Against Virtual Banks Andre L. Dos Santos (Feb 08)
    - Re: Statistical Attack Against Virtual Banks HC Security (Feb 08)
    - Re: Statistical Attack Against Virtual Banks Andre L. Dos Santos (Feb 08)
    - Re: Statistical Attack Against Virtual Banks HC Security (Feb 09)
    - Re: Statistical Attack Against Virtual Banks Swift Griggs (Feb 09)
    - Re: Statistical Attack Against Virtual Banks Andre L. Dos Santos (Feb 08)
    - SCO OpenServer SNMPD vulnerability NAI Labs (Feb 07)
    - Re: Tempfile vulnerabilities Werner Koch (Feb 02)
    - Re: Tempfile vulnerabilities Chris Cappuccio (Feb 03)
    - Cross Site Scripting security issue Robert Zilbauer (Feb 02)
    - Re: Tempfile vulnerabilities Len Budney (Feb 03)
    - Re: Tempfile vulnerabilities antirez (Feb 05)
    - Re: Tempfile vulnerabilities Ian Turner (Feb 07)

(Thread continues...)