From: Richard Quadling

>On 14 May 2010 14:47, Bob McConnell <> wrote:
>> Actually, I believe that linking a session to a specific individual
>> without reading a biometric key with every http request is an
>> unacceptable risk. And no, I don't do any banking online.
> That's why my bank has supplied me with a little card reader for my
> bank card, into which I put my pin number.
> So they know it is me because of something I have (my card and card
> reader) and something I know (my pin number).
> This is pretty similar to the system we use for our online BACS
> And yes, I do online banking.

That only verifies that it was probably you that initially logged in.
There is nothing to prevent someone else from knocking you out and using
the session once you have completed that step, or hijacking it after you
are done. There are any number of ways to intercept your traffic, such
as a poisoned DNS server misdirecting your browser through a man in the

Even without that, how long would it take someone else to 'discover'
your four digit PIN number if they wanted to? Probably less than an hour
with only 9999 possible variations. That's nowhere near safe enough for

Bob McConnell

PHP General Mailing List (
To unsubscribe, visit:

Reply via email to