[22488] in bugtraq
Re: Vulnerability in credit union's E-statement feature
daemon@ATHENA.MIT.EDU (Scott Dier)
Sun Sep 2 14:50:27 2001
Date: Sun, 2 Sep 2001 00:10:39 -0500
From: Scott Dier <dieman@ringworld.org>
To: BlueJAMC <bluejamc@netzero.net>
Cc: BUGTRAQ@securityfocus.com
Message-ID: <20010902001039.E624@ringworld.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <000101c132a1$4dcb0a00$e443b4d1@r2f2e2>
* BlueJAMC <bluejamc@netzero.net> [010901 11:11]:
> Please click on the following Link to retrieve your Credit Union
> Statement:
> https://www.siouxfallsfcu.org/servlet/com.sos.estatements.PreLogin?UName
> =12345-5&Month=8&Year=2001
> Well, at this point, I'm tired of waiting. I do realize that, as Mr.
> Kavanaugh described above, that they are at the mercy of their vendor.
>
> Resolution: Obviously this depends on the vendor. However, the
> suggestion I gave initially was to use either a random number which
Possible solution:
USAA lets me recive multiple documents in PDF format via the web. When
a new 'document' is given to me from them I recieve an email telling me
to go to 'www.usaa.com' and to login and check the documents section for
a new document.
I think this is an acceptable balance between account security and user
convenience. It's unacceptable to have any sort of 'shortcut' to my
username in plaintext, IMO.
(On a side note, I'm pretty impressed with the amount of thought that
USAA has put into their web offerings, even when you change your
password you get a *snail mail* notice letting you know, just in case.
Of course, thats too slow. :) )
--
Scott Dier <dieman@ringworld.org> <sdier@debian.org>
http://www.ringworld.org/ #linuxos@irc.openprojects.net
