Bugtraq mailing list archives
Re: Vulnerability in credit union's E-statement feature
From: Scott Dier <dieman () ringworld org>
Date: Sun, 2 Sep 2001 00:10:39 -0500
* BlueJAMC <bluejamc () netzero net> [010901 11:11]:
Please click on the following Link to retrieve your Credit Union Statement: https://www.siouxfallsfcu.org/servlet/com.sos.estatements.PreLogin?UName =12345-5&Month=8&Year=2001
Well, at this point, I'm tired of waiting. I do realize that, as Mr. Kavanaugh described above, that they are at the mercy of their vendor. Resolution: Obviously this depends on the vendor. However, the suggestion I gave initially was to use either a random number which
Possible solution: USAA lets me recive multiple documents in PDF format via the web. When a new 'document' is given to me from them I recieve an email telling me to go to 'www.usaa.com' and to login and check the documents section for a new document. I think this is an acceptable balance between account security and user convenience. It's unacceptable to have any sort of 'shortcut' to my username in plaintext, IMO. (On a side note, I'm pretty impressed with the amount of thought that USAA has put into their web offerings, even when you change your password you get a *snail mail* notice letting you know, just in case. Of course, thats too slow. :) ) -- Scott Dier <dieman () ringworld org> <sdier () debian org> http://www.ringworld.org/ #linuxos () irc openprojects net
Current thread:
- Vulnerability in credit union's E-statement feature BlueJAMC (Sep 01)
- Re: Vulnerability in credit union's E-statement feature Scott Dier (Sep 02)
- Re: Vulnerability in credit union's E-statement feature Hugo van der Kooij (Sep 02)
- Re: Vulnerability in credit union's E-statement feature Crispin Cowan (Sep 02)