Re: Bank Of Montreal Online Security

[Michael Peppard <mpeppard () impole com>]

What you are (biometrics)
What you know (Password)
What you have (a key)

This has to go both ways. You both have to have verification that you 
are who you are, that you both know the same things and that your key is 
unique to a unique lock. False security on any vector makes it easier to 
break the rest, whether through old fashioned social engineering or 
stolen cycles on a mainframe cracking keys.

All are equally important and vulnerable. At least use a unique and hard 
to crack password, it's the only part end users directly control.

Any suggestion that -simply- having a good password is fine is just 
silly and wasn't my intention. If the bank cares so little they won't 
spend a tiny fraction of their profit on a good, well designed 
authentication scheme... go to another bank.

On 11/01/2012 05:40 PM, Savvy95 () gmail com wrote:
> Type it in blind; that would be difficult.
>
> ;)
>
> Glen Victor
>
> Sent from my HTC on the Now Network from Sprint!
>
> ----- Reply message -----
> From: "Michael Peppard" <mpeppard () impole com>
> Date: Thu, Nov 1, 2012 16:36
> Subject: Bank Of Montreal Online Security
> To: <security-basics () securityfocus com>
>
> Take 'old o' the Wings o' the Mornin', An' flop round the earth till
> you're dead
>
> Good luck cracking that password. Kipling's Widow at Windsor for those
> that don't recognize it.
>
> On 11/01/2012 02:31 PM, Alexander A. Kelner wrote:
> > On Thu, 1 Nov 2012, Hough, Kenneth P wrote:
> >
> >> Date: Thu, 01 Nov 2012 12:24:05 -0400
> >> From: "Hough, Kenneth P" <kenneth.phough () WPI EDU>
> >> To: Alexander Meesters <a.meesters () sansyl com>,
> >>     Alexander A. Kelner <a.kelner () noc brsi ru>
> >> Cc: "security-basics () securityfocus com"
> >> <security-basics () securityfocus com>,
> >>     security-basics-return-58248-a kelner=noc brsi ru
> >> <security-basics-return-58248-a.kelner=noc.brsi.ru () securityfocus com>
> >> Subject: RE: Bank Of Montreal Online Security
> >>
> >> Also substituting letters with symbols will help, for example:
> >>> And then william sayed:"I really hate cake!"
> >> Change the 'a' to @ and 's' to $
> >>> And then willi@m $ayed:"I really hate cake!"
> >
> > Guys, excuse me, but you are tricking yourself.
> > Hackers know all this and much more, when cracks your passwords.
> >
> >>
> >> -----Original Message-----
> >> From: listbounce () securityfocus com
> >> [mailto:listbounce () securityfocus com] On Behalf Of Alexander Meesters
> >> Sent: Thursday, November 01, 2012 9:53 AM
> >> To: Alexander A. Kelner
> >> Cc: security-basics () securityfocus com; security-basics-return-58248-a
> >> kelner=noc brsi ru
> >> Subject: Re: Bank Of Montreal Online Security
> >>
> >> Well, i believe that if you use proper punctuation it would be near
> >> to impossible, cause a automated dictionary attack does not know
> >> proper grammar, for example:
> >>> And then william sayed:"I really hate cake!"
> >> plus a dictionary attack also has a lot of problems with dialects and
> >> slang, so in order for a dictionary attack to be successful they must
> >> use a tool that uses some kind of AI.
> >> At least that is what i believe, please correct me if i'm wrong, my
> >> experience with dictionary attacks are not that great.
> >>
> >> Alex
> >>
> >>
> >> ----- Oorspronkelijk bericht -----
> >>
> >> Van: "Alexander A. Kelner" <a.kelner () noc brsi ru>
> >> Cc: security-basics () securityfocus com,
> >> "security-basics-return-58248-a kelner=noc brsi ru"
> >> <security-basics-return-58248-a.kelner=noc.brsi.ru () securityfocus com>
> >> Verzonden: Woensdag 31 oktober 2012 21:49:23
> >> Onderwerp: RE: Bank Of Montreal Online Security
> >>
> >> On Wed, 31 Oct 2012, Dave Kleiman wrote:
> >>
> >>> Date: Wed, 31 Oct 2012 09:26:30 -0500
> >>> From: Dave Kleiman <dave () davekleiman com>
> >>> To: "security-basics () securityfocus com"
> >>> <security-basics () securityfocus com>
> >>> Subject: RE: Bank Of Montreal Online Security
> >>> Resent-Date: Wed, 31 Oct 2012 09:07:10 -0700 (PDT)
> >>> Resent-From:
> >>> security-basics-return-58248-a.kelner=noc.brsi.ru () securityfocus com
> >>>
> >>> Alexander,
> >>>
> >>>>>> Which password length is more secure - that is a question.<<<
> >>>
> >>> If you used the above statement, just as you typed it, as your
> >>> password (passphrase), would it not both much stronger than 6
> >>> characters and very easy to remember?
> >>>
> >>
> >> Hi Dave!
> >>
> >> Yes, it's very easy to remember, but I think this method for password
> >> setting is not as strong as it may appears :-)
> >>
> >> The phrase "Which password length is more secure - that is a question"
> >> contains not 58 "random chars", but 11 only, because each word must be
> >> considered as a single symbol in the vocabulary, say for brute force
> >> attack.
> >>
> >> There is a strong corelation between the chars inside of the words if
> >> these
> >> words are taken from our lexicon. So, these characters should not be
> >> considered independent. Yes, this password is long but it is not too
> >> random,
> >> and so it is not too secure.
> >>
> >> Moreover there may be found efficient heuristics when you try to attack
> >> passwords like human speech sentences due to existing correlation
> >> between
> >> words inside of such sentences and due to quite deterministic
> >> structure of
> >> sentences.
> >>
> >> If you bring some order (the way for easy memorizing) into your 
> password
> >> you decrease it's strength.
> >>
> >> Well, and now try to type above phrase in invisible mode and don't make
> >> mistake :-)
> >>
> >> Though, IMHO six chars passwords are too short. I like at least 8 :-)
> >>
> >>>
> >>> Respectfully,
> >>>
> >>> Dave Kleiman - http://www.ComputerForensicsLLC.com -
> >>> http://www.computerforensicsexpertwitnesses.com
> >>>
> >>> 4371 Northlake Blvd #314
> >>> Palm Beach Gardens, FL 33410
> >>> 561.310.8801
> >>>
> >>>
> >>> -----Original Message-----
> >>> From: listbounce () securityfocus com
> >>> [mailto:listbounce () securityfocus com] On Behalf Of Alexander A. Kelner
> >>> Sent: Monday, October 29, 2012 16:20
> >>> To: security-basics () securityfocus com
> >>> Subject: RE: Bank Of Montreal Online Security
> >>>
> >>>
> >>>> From: listbounce () securityfocus com
> >>>> [mailto:listbounce () securityfocus com] On Behalf Of mrtolton () gmail com
> >>>> Sent: Friday, October 26, 2012 2:08 PM
> >>>> To: security-basics () securityfocus com
> >>>> Subject: Bank Of Montreal Online Security
> >>>>
> >>>> It's come to my attention that the Bank Of Montreal online 
> security is
> >>>> shockingly lax. First of all regardless of your password length, it
> >>>> only cares about the first six characters. Even more insane is it
> >>>> doesn't matter what case of the letters are, it will allow you
> >>>> access all the same.
> >>>>
> >>>> On top of this, theres a bug in the iPhone app which will not allow
> >>>> you to unsave your card number.
> >>>>
> >>>> Its a good thing they guarantee 100% of your money against fraudulent
> >>>> transfers, because its only a matter of time.
> >>>
> >>> Hello.
> >>>
> >>> IMHO "shockingly laxity" is not as obvious as it may appear at first
> >>> approach.
> >>>
> >>> Six chars give us about (26+10)^6=2 billions of possible passwords.
> >>> If their server is smart enough to allow as low as 1 authentication
> >>> attempt per second for the same account then you will spend some
> >>> hundreds years trying to brute force it.
> >>>
> >>> BUT! The short password can be easy memorized, when the long
> >>> password must be recorded somewhere (sometimes in very inappropriate
> >>> place), and then may be stolen. Which password length is more secure
> >>> - that is a question.
> >>>
> >>>
> >>>
> >>>
> >>
> >>
> >> ---
> >> Alexander A. Kelner
> >> Senior engineer
> >> CT Network Operation Center
> >> RosTelecom - Bryansk
> >>
> >> 
> ------------------------------------------------------------------------
> >> Securing Apache Web Server with thawte Digital Certificate
> >> In this guide we examine the importance of Apache-SSL and who needs
> >> an SSL certificate. We look at how SSL works, how it benefits your
> >> company and how your customers can tell if a site is secure. You will
> >> find out how to test, purchase, install and use a thawte Digital
> >> Certificate on your Apache web server. Throughout, best practices for
> >> set-up are highlighted to help you ensure efficient ongoing
> >> management of your encryption keys and digital certificates.
> >>
> >> 
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 
>
> >>
> >> 
> ------------------------------------------------------------------------
> >>
> >> 
> ------------------------------------------------------------------------
> >> Securing Apache Web Server with thawte Digital Certificate
> >> In this guide we examine the importance of Apache-SSL and who needs
> >> an SSL certificate.  We look at how SSL works, how it benefits your
> >> company and how your customers can tell if a site is secure. You will
> >> find out how to test, purchase, install and use a thawte Digital
> >> Certificate on your Apache web server. Throughout, best practices for
> >> set-up are highlighted to help you ensure efficient ongoing
> >> management of your encryption keys and digital certificates.
> >>
> >> 
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 
>
> >>
> >> 
> ------------------------------------------------------------------------
> >>
> >>
> >
> >
> > ---
> > Alexander A. Kelner
> > Senior engineer
> > CT Network Operation Center
> > RosTelecom - Bryansk
> >
> > ------------------------------------------------------------------------
> > Securing Apache Web Server with thawte Digital Certificate
> > In this guide we examine the importance of Apache-SSL and who needs an
> > SSL certificate.  We look at how SSL works, how it benefits your
> > company and how your customers can tell if a site is secure. You will
> > find out how to test, purchase, install and use a thawte Digital
> > Certificate on your Apache web server. Throughout, best practices for
> > set-up are highlighted to help you ensure efficient ongoing management
> > of your encryption keys and digital certificates.
> >
> > 
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 
>
> >
> > ------------------------------------------------------------------------
> >
> >
> >
>
>
> ------------------------------------------------------------------------
> Securing Apache Web Server with thawte Digital Certificate
> In this guide we examine the importance of Apache-SSL and who needs an 
> SSL certificate.  We look at how SSL works, how it benefits your 
> company and how your customers can tell if a site is secure. You will 
> find out how to test, purchase, install and use a thawte Digital 
> Certificate on your Apache web server. Throughout, best practices for 
> set-up are highlighted to help you ensure efficient ongoing management 
> of your encryption keys and digital certificates.
>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
> ------------------------------------------------------------------------


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------