On Wed, 9 Feb 2000, HC Security wrote:
>
> > >(...) Therefore, it is a wide spread
> > >practice to use 4 or 6 digit PINs. Because of the small length of the PINs
> > >an attacker can target a particular account and try all possibilities. In
> > >order to defend against this class of attacks, banks usually lock out
> > >accounts after a certain number of unsuccessful identification attempts.
>
> I don't know what is the case in California, but I don't think I can
> emphasise heavily enough how immensely stupid it is to rely _solely_ on a 4
> (or 6) digit PIN for full access to the bank account. How come, when there
> are so many other easy-to-implement solutions which are way better when it
> comes to security? To use the same code day after day on the same
> website...... that statistical attack is perhaps not the worst, what if
> someone snooped your traffic or logged on to your win98 computer and simply
> retrieved your PIN?
>
How are you going to snoop a PIN code that is not stored localy and
is transmitted using SSL or a java applet using encryption? Anyway, if I
have access to a win98 computer I can do many nasty things...
> Here in Norway I don't know of _any_ "virtual bank" which doesn't _at
> least_ use one-time passwords, or so-called digipasses (the user types his
> PIN on an small, personal calculator-type device which returns a 6 digit
> code to use for authentication in the virtual bank - this code expires
> after 15 min or so).
I don't see why this is better than a PIN, unless it is a separated
device (with the overhead of the user having to carry this token). In
addition, if I know how the device generates the code from the PIN, this
only represents an extra step in the attack.
>
> > >Some banks use alphanumeric characters for authentication. An attacker can
> > >use dictionary words, instead of numbers, in this case to attack these
> > >banks.
>
> Mensch!
>
> --
> Regards,
>
> Snorre Haugnes
> HC Security
>
Cheers,
Andre.
