[13777] in bugtraq
Re: Statistical Attack Against Virtual Banks
daemon@ATHENA.MIT.EDU (Andre L. Dos Santos)
Wed Feb 9 10:31:44 2000
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.GSO.4.05.10002082347360.9417-100000@bird>
Date: Tue, 8 Feb 2000 23:57:35 -0800
Reply-To: "Andre L. Dos Santos" <andre@CS.UCSB.EDU>
From: "Andre L. Dos Santos" <andre@CS.UCSB.EDU>
X-To: Swift Griggs <ssgriggs@jcius.com>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.LNX.4.20.0002090121330.4035-100000@voodoomindcontrol.jcius.com>
On Wed, 9 Feb 2000, Swift Griggs wrote:
> On Tue, 8 Feb 2000, Andre L. Dos Santos wrote:
> > Many Virtual Banks rely on a fixed length personal identification
> > number (PIN) to identify a user. Some banks, allow access to all of
> > their online operations after a successful identification, others
> > require additional identification, like social security number, maiden
> > name or an additional PIN.
>
> You don't mention x509 authentication in your analysis at all. IMHO, your
> not doing anything here other than bringing up the age old technique of
> brute forcing weak passwords in a circuitous way.
>
Users want systems that are user-friendly. Banks wants to maximize the
numbers of users using their online services. Requiring x509 client
certificates go against both desires (at least for the average users). But
it could improve the protections, if all issues with certificates are not
considered. I do not include this in the note because I have not seen a
bank that requires client x509. Any pointers are welcome.
Andre.
