Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [PEN-TEST] Home-Banking PEN-TESTING

From: "van der Kooij, Hugo" <Hugo.van.der.Kooij () CAIW NL>
Date: Tue, 29 Aug 2000 20:33:57 +0200
On Tue, 29 Aug 2000, Christopher Laycock wrote:


IMHO: The bank should warn people not to store their password in the Cache
of their web browser.  This would stop some attacks, although they shouldn't
be responsible for Keystroke logs.  Most of the problems would be solved if
the user had a long password and was asked for random characters from it eg.
"Please enter the 3rd, 26th, 38th, 41st and 107th character's of your
password" and setting it so that only logging on and off will change the
charcters required.  AFAIK this system is used by some banks over the phone
but not over the net.


Fixed passwords are usually considered insecure. I would advise not to use
electronic banking with fixed passwords. (I don't know any Dutch bank that
uses fixed password. The ones I've seen all use challenge/response
tokens.)

Hugo.

--
Hugo van der Kooij; Oranje Nassaustraat 16; 3155 VJ  Maasland
hvdkooij () caiw nl     http://home.kabelfoon.nl/~hvdkooij/
--------------------------------------------------------------
Quoting this tagline is illegal! (http://www.dtcc.edu/cs/rfc1855.html)
Previous By Date Next
Previous By Thread Next

Current thread: