Ivan Krsti? wrote:
On Jul 1, 2008, at 12:46 PM, Perry E. Metzger wrote:
My experience with European banks is quite limited -- my consulting
practice is pretty much US centric. My general understanding, however,
is that they are doing better, not worse, with login security.
As a data point, th
Ivan Krstić <[EMAIL PROTECTED]> writes:
> On Jul 1, 2008, at 12:46 PM, Perry E. Metzger wrote:
>> My experience with European banks is quite limited -- my consulting
>> practice is pretty much US centric. My general understanding, however,
>> is that they are doing better, not worse, with login se
On Jul 1, 2008, at 12:46 PM, Perry E. Metzger wrote:
My experience with European banks is quite limited -- my consulting
practice is pretty much US centric. My general understanding, however,
is that they are doing better, not worse, with login security.
As a data point, the largest bank in Cr
[Moderator's note: I'll let Ed have the last word. I'm sure everyone
knows what I'd say anyway. --Perry]
Perry E. Metzger wrote:
Ed Gerck <[EMAIL PROTECTED]> writes:
In any case, there are a large number of reasons US banks don't
(generally) require or even allow anyone to enter PINs for
authen
Stephan Neuhaus <[EMAIL PROTECTED]> writes:
> On Jul 1, 2008, at 17:39, Perry E. Metzger wrote:
>
>> Ed, there is a reason no one in the US, not even Wells Fargo which you
>> falsely cited, does what you suggest. None of them use 4 digit PINs,
>> none of them use customer account numbers as accoun
On Jul 1, 2008, at 17:39, Perry E. Metzger wrote:
Ed, there is a reason no one in the US, not even Wells Fargo which you
falsely cited, does what you suggest. None of them use 4 digit PINs,
none of them use customer account numbers as account names. (It is
possible SOMEONE out there does this,
Ed Gerck <[EMAIL PROTECTED]> writes:
>> In any case, there are a large number of reasons US banks don't
>> (generally) require or even allow anyone to enter PINs for
>> authentication over the internet.
>
> Wells Fargo allows PINs for user authentication.
No they don't. The new users of their on
| Hi gang,
|
| All quiet on the cryptography front lately, I see. However, that does not
| prevent practices that *appear* like protection but are not even as strong as
| wet toilet paper.
|
| I had to order a medical device today and they need a signed authorization for
| payment by my insurance
Ed Gerck <[EMAIL PROTECTED]> writes:
>[EMAIL PROTECTED] wrote:
>> So I hold the PIN constant and vary the bank account number.
>
>This is, indeed, a possible attack considering that the same IP may be
>legitimately used by different users behind NAT firewalls and/or with dynamic
>IPs. However, ther
Perry,
You may well think that "You're completely wrong here," as you wrote.
However, a first evidence that I'm correct is that the online banking
system has /not/ collapsed under this attack (Dan's point) in many
years... even though bad guys do have access to large blocks of
different IP nu
On Jun 30, 2008, at 7:22 PM, Perry E. Metzger wrote:
One of the most interesting things I find about most fields is the
fact that people who are incompetent very often fancy themselves
experts. There's a great study on this subject -- usually the least
competent people are the ones that feel high
[EMAIL PROTECTED] (James A. Donald) on Monday, June 30, 2008 wrote:
>The only people who know who the real experts are, are the real
>experts. If you knew who to hire, you could do it yourself, and
>probably should do it yourself.
I would say, even if you can do it yourself, hire another expe
Allen <[EMAIL PROTECTED]> writes:
>> There are well-attended conferences, papers published online and in many
>> journals, etcetera. So it's not so difficult for people who don't know
>> anything about security and crypto to eventually figure out who does, in
>> the process also learning who else
Ed Gerck <[EMAIL PROTECTED]> writes:
> [EMAIL PROTECTED] wrote:
>> So I hold the PIN constant and vary the bank account number.
>
> This is, indeed, a possible attack considering that the same IP may be
> legitimately used by different users behind NAT firewalls and/or with
> dynamic IPs. However,
"James A. Donald" <[EMAIL PROTECTED]> writes:
> Arshad Noor wrote:
>> While programmers or business=people could be ill-informed, Allen,
>> I think the greater danger is that IT auditors do not know enough
>> about cryptography, and consequently pass unsafe business processes
>> and/or software as
Allen wrote:
During the transmission from an ATM machine 4 numeric characters are
probably safe because the machines use dedicated dry pair phone lines
for the most part, as I understand the system. This, combined with
triple DES, makes it very difficult to compromise or do a MIM attack
becaus
On Mon, Jun 30, 2008 at 11:47:54AM -0700, Allen wrote:
> Nicolas Williams wrote:
> >On Mon, Jun 30, 2008 at 07:16:17AM -0700, Allen wrote:
> >>Given this, the real question is, /"Quis custodiet ipsos custodes?"/
> >
> >Putting aside the fact that cryptographers aren't custodians of
> >anything, it
Nicolas Williams wrote:
On Mon, Jun 30, 2008 at 07:16:17AM -0700, Allen wrote:
Given this, the real question is, /"Quis custodiet ipsos custodes?"/
Putting aside the fact that cryptographers aren't custodians of
anything, it's all about social institutions.
Well, I wouldn't say they aren't
[EMAIL PROTECTED] wrote:
Ed Gerck writes:
-+--
| ...
| Not so fast. Bank PINs are usually just 4 numeric characters long and
| yet they are considered /safe/ even for web access to the account
| (where a physical card is not required).
|
| Why? Because after 4 tries the acces
Ed Gerck wrote:
Allen wrote:
Very. The (I hate to use this term for something so pathetic) password
for the file is 6 (yes, six) numeric characters!
My 6 year old K6-II can crack this in less than one minute as there
are only 1.11*10^6 possible.
Not so fast. Bank PINs are usually just 4 n
Ed Gerck writes:
-+--
| ...
| Not so fast. Bank PINs are usually just 4 numeric characters long and
| yet they are considered /safe/ even for web access to the account
| (where a physical card is not required).
|
| Why? Because after 4 tries the access is blocked for your IP n
On Mon, Jun 30, 2008 at 07:16:17AM -0700, Allen wrote:
> Given this, the real question is, /"Quis custodiet ipsos custodes?"/
Putting aside the fact that cryptographers aren't custodians of
anything, it's all about social institutions.
There are well-attended conferences, papers published online
James A. Donald wrote:
Committees of experts regularly get cryptography wrong - consider, for
example the Wifi debacle. Each wifi release contains classic and
infamous errors - for example WPA-Personal is subject to offline
dictionary attack.
One would have thought that after the first disas
Arshad Noor wrote:
While programmers or business=people could be ill-informed, Allen,
I think the greater danger is that IT auditors do not know enough
about cryptography, and consequently pass unsafe business processes
and/or software as being secure.
This is the reason why we in the OASIS En
Arshad Noor wrote:
While programmers or business=people could be ill-informed, Allen,
I think the greater danger is that IT auditors do not know enough
about cryptography, and consequently pass unsafe business processes
and/or software as being secure.
Committees of experts regularly get crypto
Allen wrote:
Very. The (I hate to use this term for something so pathetic) password
for the file is 6 (yes, six) numeric characters!
My 6 year old K6-II can crack this in less than one minute as there are
only 1.11*10^6 possible.
Not so fast. Bank PINs are usually just 4 numeric characters l
[Moderator's note: "Top posting considered uncool." --Perry]
While programmers or business=people could be ill-informed, Allen,
I think the greater danger is that IT auditors do not know enough
about cryptography, and consequently pass unsafe business processes
and/or software as being secure.
T
Hi gang,
All quiet on the cryptography front lately, I see. However, that
does not prevent practices that *appear* like protection but are not
even as strong as wet toilet paper.
I had to order a medical device today and they need a signed
authorization for payment by my insurance carrier. N
28 matches
Mail list logo