WebApp Sec mailing list archives
Re: [WEB SECURITY] SSL does not = a secure website
From: Evert Collab <evert () collab nl>
Date: Wed, 29 Mar 2006 20:00:06 +0200
Invalid characters removed from From: Evert | Collab <evert () collab nl>Our bank (www.rabobank.nl) dispatches a random-reader. A small device looking like a calculator.
You insert your bankcard and enter a PIN, it will reply a number which you can use to log into the site. It won't use the same number twice, so keyloggers won't work. When you are confirming a transaction it requires you to re-enter the PIN along with a 8-digit number displayed on the site. Confirm with the number displayed on the device.
Seems like a pretty solid approach to me.A second bank (www.postbank.nl) uses a huge list with numbers. Every time you login you enter a new number. This method is awkward, inconvenient and less secure.
Evert Gervase Markham wrote:
James Strassburg wrote:There are additional countermeasures that a web application can implement. For example, the app could have the user enter his/her password by clicking an onscreen keyboard or ask the user for random characters from their password (enter the 2nd, 4th and 10th character of your password). I should state that while I've read about these I don't know of a web application that makes use of them.Barclays Bank in the UK uses the latter - a five-digit numeric password, specified in full, and a memorable word, of which you specify two letters using dropdown lists (so you have to use the mouse). Gerv --------------------------------------------------------------------- The Web Security Mailing List http://www.webappsec.org/lists/websecurity/ The Web Security Mailing List Archives http://www.webappsec.org/lists/websecurity/archive/
------------------------------------------------------------------------- This List Sponsored by: SpiDynamicsALERT: "How A Hacker Launches A Web Application Attack!" Step-by-Step - SPI Dynamics White Paper Learn how to defend against Web Application Attacks with real-world examples of recent hacking methods such as: SQL Injection, Cross Site Scripting and Parameter Manipulation
https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl --------------------------------------------------------------------------
Current thread:
- Re: [WEB SECURITY] SSL does not = a secure website, (continued)
- Re: [WEB SECURITY] SSL does not = a secure website michaelslists (Mar 28)
- Re: [WEB SECURITY] SSL does not = a secure website Andrew van der Stock (Mar 28)
- RE: [WEB SECURITY] SSL does not = a secure website Lyal Collins (Mar 29)
- Re: [WEB SECURITY] SSL does not = a secure website Ryan Barnett (Mar 29)
- Re: [WEB SECURITY] SSL does not = a secure website Brian Eaton (Mar 29)
- Re: [WEB SECURITY] SSL does not = a secure website michaelslists (Mar 28)
- Re: [WEB SECURITY] SSL does not = a secure website Bill Pennington (Mar 28)
- Re: [WEB SECURITY] SSL does not = a secure website Gervase Markham (Mar 29)
- Re: [WEB SECURITY] SSL does not = a secure website Evert Collab (Mar 29)
- Re: [WEB SECURITY] SSL does not = a secure website michaelslists (Mar 28)