Ed Gerck <[EMAIL PROTECTED]> writes: >[EMAIL PROTECTED] wrote: >> So I hold the PIN constant and vary the bank account number. > >This is, indeed, a possible attack considering that the same IP may be >legitimately used by different users behind NAT firewalls and/or with dynamic >IPs. However, there are a number of reasons, and evidence, why this attack >can be (and has been) prevented even for a short PIN:
It's a pity that Kjell Hole et al didn't know this was impossible when they mounted exactly this attack against the Norwegian banking system :-). Peter. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
