[22489] in bugtraq
Re: Vulnerability in credit union's E-statement feature
daemon@ATHENA.MIT.EDU (Hugo van der Kooij)
Sun Sep 2 14:56:52 2001
Date: Sat, 1 Sep 2001 20:34:23 +0200 (CEST)
From: Hugo van der Kooij <hvdkooij@vanderkooij.org>
To: <BUGTRAQ@securityfocus.com>
In-Reply-To: <000101c132a1$4dcb0a00$e443b4d1@r2f2e2>
Message-ID: <Pine.LNX.4.33.0109012026170.11040-100000@hvdkooij.xs4all.nl>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
On Fri, 31 Aug 2001, BlueJAMC wrote:
> Obviously, the problem here is clear; the account number is clear text.
> Of course, the link requires you to include a password. However,
> considering the fact that most users the same password for
> everything--e-mail, e-statements, chatroom SNs, etc--the requirement to
> use a password is little consolation. This, coupled with the fact that
> the individual branches for the credit union do not check for any type
> of identification other than a signature when making a withdrawl, makes
> this even more dangerous.
Any bank using plain username/password authentication should be avoided
at all costs! Such a design is painfully insecure. Any steady
username/password combination can be obtained and replayed over time.
It usually only takes a glance on the keyboard of someone typing his/her
password to get a good hunch. (recognize any name, carbrand, ....?)
I'm not aware of other country's specifications but in the Netherlands all
banks use some sort of one-time passwords. Most of them use the tokens
made by Vasco.
The security requires 3 items:
- challenge generated by the server
- physical access to the OTP generator. (stack 5 credit cards and you got
a picture of the size ;-)
- pincode of the OTP
These generate a response that is unique and is send back to the server.
Hugo.
--
All email send to me is bound to the rules described on my homepage.
hvdkooij@vanderkooij.org http://hvdkooij.xs4all.nl/
Don't meddle in the affairs of sysadmins,
for they are subtle and quick to anger.
