On Wed, Dec 30, 2009 at 2:59 PM, Eckhard Jokisch <[email protected]> wrote: > We should start to talk to the banks for example. ANZ Bank We have a similar system in Norway with a bank called Skandiabanken. [0] All you need to log in to somebody's account is their social security number and a 6 letter code consisting of 0-9A-Z. Then you have to generate a SSL certificate and you can log in. They even use your social security number as a serial number in the cert, so getting your hands on somebody's social security number is not a problem at all if you have access to a computer they've used to log in with. (I like to think most people do not remove their certificate, or they might forget).
They *do* allow you to log in through more secure measures, but that doesn't matter, as an attacker could just request the code over sms anyways... I have contacted them on multiple occasions to bring their attention to the issue, but I am constantly ignored. Hopefully this will speed things up. I will also send them a link to this thread. -- - omes _______________________________________________ A51 mailing list [email protected] http://lists.lists.reflextor.com/cgi-bin/mailman/listinfo/a51
