Penetration Testing mailing list archives
Re: [PEN-TEST] Home-Banking PEN-TESTING
From: "van der Kooij, Hugo" <Hugo.van.der.Kooij () CAIW NL>
Date: Tue, 29 Aug 2000 20:33:57 +0200
On Tue, 29 Aug 2000, Christopher Laycock wrote:
IMHO: The bank should warn people not to store their password in the Cache of their web browser. This would stop some attacks, although they shouldn't be responsible for Keystroke logs. Most of the problems would be solved if the user had a long password and was asked for random characters from it eg. "Please enter the 3rd, 26th, 38th, 41st and 107th character's of your password" and setting it so that only logging on and off will change the charcters required. AFAIK this system is used by some banks over the phone but not over the net.
Fixed passwords are usually considered insecure. I would advise not to use electronic banking with fixed passwords. (I don't know any Dutch bank that uses fixed password. The ones I've seen all use challenge/response tokens.) Hugo. -- Hugo van der Kooij; Oranje Nassaustraat 16; 3155 VJ Maasland hvdkooij () caiw nl http://home.kabelfoon.nl/~hvdkooij/ -------------------------------------------------------------- Quoting this tagline is illegal! (http://www.dtcc.edu/cs/rfc1855.html)
Current thread:
- Re: [PEN-TEST] Home-Banking PEN-TESTING, (continued)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Klahn, Paul (Aug 24)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Tonick, Mike (Aug 24)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Chris Calabrese (Aug 24)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Christopher Laycock (Aug 29)
- [PEN-TEST] SQL Server blank account Seth Georgion (Aug 29)
- Re: [PEN-TEST] SQL Server blank account Marc Maiffret (Aug 29)
- Re: [PEN-TEST] SQL Server blank account M. Burnett (Aug 29)
- Re: [PEN-TEST] SQL Server blank account H D Moore (Aug 29)
- Re: [PEN-TEST] SQL Server blank account Attonbitus Deus (Aug 29)
- [PEN-TEST] SQL Server blank account Seth Georgion (Aug 29)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Ben Lull (Aug 29)
- Re: [PEN-TEST] Home-Banking PEN-TESTING van der Kooij, Hugo (Aug 29)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Jim Miller (Aug 29)
- Re: [PEN-TEST] Home-Banking PEN-TESTING H D Moore (Aug 29)