On 14 May 2010 15:26, Bob McConnell <r...@cbord.com> wrote:
> From: Richard Quadling
>
>>On 14 May 2010 14:47, Bob McConnell <r...@cbord.com> wrote:
>>> Actually, I believe that linking a session to a specific individual
>>> without reading a biometric key with every http request is an
>>> unacceptable risk. And no, I don't do any banking online.
>>
>> That's why my bank has supplied me with a little card reader for my
>> bank card, into which I put my pin number.
>>
>> So they know it is me because of something I have (my card and card
>> reader) and something I know (my pin number).
>>
>> This is pretty similar to the system we use for our online BACS
> transactions.
>>
>> And yes, I do online banking.
>
> That only verifies that it was probably you that initially logged in.
> There is nothing to prevent someone else from knocking you out and using
> the session once you have completed that step, or hijacking it after you
> are done. There are any number of ways to intercept your traffic, such
> as a poisoned DNS server misdirecting your browser through a man in the
> middle.
>
> Even without that, how long would it take someone else to 'discover'
> your four digit PIN number if they wanted to? Probably less than an hour
> with only 9999 possible variations. That's nowhere near safe enough for
> me.
>
> Bob McConnell
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>

The pin pad requires my 4 digit pin and generates an 8 digit number
which is required by the bank's web site (100 million combinations and
must match expectation on the server).

The 8 digit number is different every time.

And 3 failed logins disables the login until I go through security via
the phone. And then I still have to use the same data to try again.

The channel is https ONLY - you cannot login on http.

I also keep my front door locked and I trust my wife and kids to not
knock me out, though the way the kids play up sometimes ...

DNS poisoning is certainly a possibility. The Blue Frog incident a few
years ago certainly revealed a weakness in DNS servers (the
operators).

And you are right, essentially a man-in-the-middle is still not
defendable (AFAIK).

-- 
-----
Richard Quadling
"Standing on the shoulders of some very clever giants!"
EE : http://www.experts-exchange.com/M_248814.html
EE4Free : http://www.experts-exchange.com/becomeAnExpert.jsp
Zend Certified Engineer : http://zend.com/zce.php?c=ZEND002498&r=213474731
ZOPA : http://uk.zopa.com/member/RQuadling

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to