This question may not be appropriate for this list, I do not know, if there is another list it should be posted on please let me know!
Recently my banking institution has changed the method for logging in. You must be able to answer test questions if you do not log in from the usual "computer" (which actually, if you read below, means "browser"). The method they use to know if you are logging in from the same computer (read again as "browser") is an encrypted cookie. The only personal info they send (they claim) is the member number. I don't have reason to doubt them, but I wonder if this is the whole truth. I'm curious if 1) this is actually a good way to do it and 2) if this is actually a security enhancement, what are the potential risks and vulnerabilities, and is the "encrypted cookie" going to be able to be decrypted fairly easily or not. I am no expert, but I do have a lot of curiosity about this. My gut feeling is they are implementing something that appears to the uneducated user as an enhancement, but in reality is something more along the lines of "security through obscurity". Banks seem to be all to willing to rely on OS's that are inherently insecure, and often seem to have somewhat amateurish approaches to security issues. I appreciate any and all responses, and again, if there is a better place to post this please let me know. _______________________________________________ Openbsd-newbies mailing list [email protected] http://mailman.theapt.org/listinfo/openbsd-newbies
