Re: [PEN-TEST] Home-Banking PEN-TESTING

[H D Moore <hdm () SECUREAUSTIN COM>]

Another solution to the cookie problem would be to store the md5 hash of the password in a cookie,
which the banking software would compare with it's own hash.  This clearly doesn't help too much,
but it would keep the clear-text password from being stolen.  Also, the cookie security model was
designed to keep sites from reading cookies placed on a browser by a different site, while the browsers
themselves are usually buggy enough to provide ways around it, that it the way it _should_ work ;)

-HD

http://www.digitaldefense.net


"The more complex our security becomes, the more complex our enemy's efforts must be.
The more we seek to shut him out, the better he must learn to become at breaking in.
Each new level of security that we manage becomes no more than a stepping-stone for him
who would surpass us, for he bases his next assault upon our best defenses."


Jim Miller wrote:
> IMHO2:  You will never get a banking customer in West Texas to usethe Internet for banking if you require him to 
> "enter the 3rd, 26th, 38th, 41st and 107th character's of your password".  It's unreasonable.  My own bank has a box 
> on the login screen that asks if the customer wants to have his system remember the password so he does not have to 
> be pained for it.  I think that puts the Bank at Risk of being sued, and plan to ask if it can be removed.  It stores 
> the password in a cookie on the customer's drive.  And it can be hacked.  I have seen no system prevention against a 
> site reading another site's cookies, and it is certainly hackable locally.