On Fri, 2010-05-14 at 10:26 -0400, Bob McConnell wrote:

> From: Richard Quadling
> >On 14 May 2010 14:47, Bob McConnell <r...@cbord.com> wrote:
> >> Actually, I believe that linking a session to a specific individual
> >> without reading a biometric key with every http request is an
> >> unacceptable risk. And no, I don't do any banking online.
> > 
> > That's why my bank has supplied me with a little card reader for my
> > bank card, into which I put my pin number.
> > 
> > So they know it is me because of something I have (my card and card
> > reader) and something I know (my pin number).
> > 
> > This is pretty similar to the system we use for our online BACS
> transactions.
> > 
> > And yes, I do online banking.
> That only verifies that it was probably you that initially logged in.
> There is nothing to prevent someone else from knocking you out and using
> the session once you have completed that step, or hijacking it after you
> are done. There are any number of ways to intercept your traffic, such
> as a poisoned DNS server misdirecting your browser through a man in the
> middle.
> Even without that, how long would it take someone else to 'discover'
> your four digit PIN number if they wanted to? Probably less than an hour
> with only 9999 possible variations. That's nowhere near safe enough for
> me.
> Bob McConnell

Actually, a 4-digit pin has 10,000 combinations (0000 through 9999

It becomes more interesting if you allow for letters as well, with case
sensitivity, so the permutations would become 62^4 (52 letters & 10


Reply via email to