[13785] in bugtraq
Re: Statistical Attack Against Virtual Banks
daemon@ATHENA.MIT.EDU (Andre L. Dos Santos)
Wed Feb 9 12:25:00 2000
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.GSO.4.05.10002082324110.19236-100000@plover>
Date: Tue, 8 Feb 2000 23:38:05 -0800
Reply-To: "Andre L. Dos Santos" <andre@CS.UCSB.EDU>
From: "Andre L. Dos Santos" <andre@CS.UCSB.EDU>
X-To: HC Security <securit@online.no>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <4.2.0.58.20000209080318.03e54bf0@mta.online.no>
On Wed, 9 Feb 2000, HC Security wrote:
>
> > >(...) Therefore, it is a wide spread
> > >practice to use 4 or 6 digit PINs. Because of the small length of the PINs
> > >an attacker can target a particular account and try all possibilities. In
> > >order to defend against this class of attacks, banks usually lock out
> > >accounts after a certain number of unsuccessful identification attempts.
>
> I don't know what is the case in California, but I don't think I can
> emphasise heavily enough how immensely stupid it is to rely _solely_ on a 4
> (or 6) digit PIN for full access to the bank account. How come, when there
> are so many other easy-to-implement solutions which are way better when it
> comes to security? To use the same code day after day on the same
> website...... that statistical attack is perhaps not the worst, what if
> someone snooped your traffic or logged on to your win98 computer and simply
> retrieved your PIN?
>
How are you going to snoop a PIN code that is not stored localy and
is transmitted using SSL or a java applet using encryption? Anyway, if I
have access to a win98 computer I can do many nasty things...
> Here in Norway I don't know of _any_ "virtual bank" which doesn't _at
> least_ use one-time passwords, or so-called digipasses (the user types his
> PIN on an small, personal calculator-type device which returns a 6 digit
> code to use for authentication in the virtual bank - this code expires
> after 15 min or so).
I don't see why this is better than a PIN, unless it is a separated
device (with the overhead of the user having to carry this token). In
addition, if I know how the device generates the code from the PIN, this
only represents an extra step in the attack.
>
> > >Some banks use alphanumeric characters for authentication. An attacker can
> > >use dictionary words, instead of numbers, in this case to attack these
> > >banks.
>
> Mensch!
>
> --
> Regards,
>
> Snorre Haugnes
> HC Security
>
Cheers,
Andre.
