On Jul 1, 2008, at 12:46 PM, Perry E. Metzger wrote:
My experience with European banks is quite limited -- my consulting
practice is pretty much US centric. My general understanding, however,
is that they are doing better, not worse, with login security.
As a data point, the largest bank in
Ivan Krstić [EMAIL PROTECTED] writes:
On Jul 1, 2008, at 12:46 PM, Perry E. Metzger wrote:
My experience with European banks is quite limited -- my consulting
practice is pretty much US centric. My general understanding, however,
is that they are doing better, not worse, with login security.
On Jun 30, 2008, at 7:22 PM, Perry E. Metzger wrote:
One of the most interesting things I find about most fields is the
fact that people who are incompetent very often fancy themselves
experts. There's a great study on this subject -- usually the least
competent people are the ones that feel
On Jul 1, 2008, at 17:39, Perry E. Metzger wrote:
Ed, there is a reason no one in the US, not even Wells Fargo which you
falsely cited, does what you suggest. None of them use 4 digit PINs,
none of them use customer account numbers as account names. (It is
possible SOMEONE out there does this,
Stephan Neuhaus [EMAIL PROTECTED] writes:
On Jul 1, 2008, at 17:39, Perry E. Metzger wrote:
Ed, there is a reason no one in the US, not even Wells Fargo which you
falsely cited, does what you suggest. None of them use 4 digit PINs,
none of them use customer account numbers as account names.
[Moderator's note: I'll let Ed have the last word. I'm sure everyone
knows what I'd say anyway. --Perry]
Perry E. Metzger wrote:
Ed Gerck [EMAIL PROTECTED] writes:
In any case, there are a large number of reasons US banks don't
(generally) require or even allow anyone to enter PINs for
Allen wrote:
Very. The (I hate to use this term for something so pathetic) password
for the file is 6 (yes, six) numeric characters!
My 6 year old K6-II can crack this in less than one minute as there are
only 1.11*10^6 possible.
Not so fast. Bank PINs are usually just 4 numeric characters
Arshad Noor wrote:
While programmers or business=people could be ill-informed, Allen,
I think the greater danger is that IT auditors do not know enough
about cryptography, and consequently pass unsafe business processes
and/or software as being secure.
Committees of experts regularly get
Arshad Noor wrote:
While programmers or business=people could be ill-informed, Allen,
I think the greater danger is that IT auditors do not know enough
about cryptography, and consequently pass unsafe business processes
and/or software as being secure.
This is the reason why we in the OASIS
James A. Donald wrote:
Committees of experts regularly get cryptography wrong - consider, for
example the Wifi debacle. Each wifi release contains classic and
infamous errors - for example WPA-Personal is subject to offline
dictionary attack.
One would have thought that after the first
On Mon, Jun 30, 2008 at 07:16:17AM -0700, Allen wrote:
Given this, the real question is, /Quis custodiet ipsos custodes?/
Putting aside the fact that cryptographers aren't custodians of
anything, it's all about social institutions.
There are well-attended conferences, papers published online
Ed Gerck writes:
-+--
| ...
| Not so fast. Bank PINs are usually just 4 numeric characters long and
| yet they are considered /safe/ even for web access to the account
| (where a physical card is not required).
|
| Why? Because after 4 tries the access is blocked for your IP
[EMAIL PROTECTED] wrote:
Ed Gerck writes:
-+--
| ...
| Not so fast. Bank PINs are usually just 4 numeric characters long and
| yet they are considered /safe/ even for web access to the account
| (where a physical card is not required).
|
| Why? Because after 4 tries the
Nicolas Williams wrote:
On Mon, Jun 30, 2008 at 07:16:17AM -0700, Allen wrote:
Given this, the real question is, /Quis custodiet ipsos custodes?/
Putting aside the fact that cryptographers aren't custodians of
anything, it's all about social institutions.
Well, I wouldn't say they aren't
On Mon, Jun 30, 2008 at 11:47:54AM -0700, Allen wrote:
Nicolas Williams wrote:
On Mon, Jun 30, 2008 at 07:16:17AM -0700, Allen wrote:
Given this, the real question is, /Quis custodiet ipsos custodes?/
Putting aside the fact that cryptographers aren't custodians of
anything, it's all about
Allen wrote:
During the transmission from an ATM machine 4 numeric characters are
probably safe because the machines use dedicated dry pair phone lines
for the most part, as I understand the system. This, combined with
triple DES, makes it very difficult to compromise or do a MIM attack
James A. Donald [EMAIL PROTECTED] writes:
Arshad Noor wrote:
While programmers or business=people could be ill-informed, Allen,
I think the greater danger is that IT auditors do not know enough
about cryptography, and consequently pass unsafe business processes
and/or software as being
Ed Gerck [EMAIL PROTECTED] writes:
[EMAIL PROTECTED] wrote:
So I hold the PIN constant and vary the bank account number.
This is, indeed, a possible attack considering that the same IP may be
legitimately used by different users behind NAT firewalls and/or with
dynamic IPs. However, there
Allen [EMAIL PROTECTED] writes:
There are well-attended conferences, papers published online and in many
journals, etcetera. So it's not so difficult for people who don't know
anything about security and crypto to eventually figure out who does, in
the process also learning who else knows
[Moderator's note: Top posting considered uncool. --Perry]
While programmers or business=people could be ill-informed, Allen,
I think the greater danger is that IT auditors do not know enough
about cryptography, and consequently pass unsafe business processes
and/or software as being secure.
20 matches
Mail list logo