[22495] in bugtraq
Re: Vulnerability in credit union's E-statement feature
daemon@ATHENA.MIT.EDU (Crispin Cowan)
Mon Sep 3 01:45:21 2001
Message-ID: <3B92A1AD.2040306@wirex.com>
Date: Sun, 02 Sep 2001 14:16:29 -0700
From: Crispin Cowan <crispin@wirex.com>
MIME-Version: 1.0
To: Hugo van der Kooij <hvdkooij@vanderkooij.org>
Cc: BUGTRAQ@securityfocus.com
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Hugo van der Kooij wrote:
>On Fri, 31 Aug 2001, BlueJAMC wrote:
>
>>Obviously, the problem here is clear; the account number is clear text.
>>Of course, the link requires you to include a password. However,
>>considering the fact that most users the same password for
>>everything--e-mail, e-statements, chatroom SNs, etc--the requirement to
>>use a password is little consolation. This, coupled with the fact that
>>the individual branches for the credit union do not check for any type
>>of identification other than a signature when making a withdrawl, makes
>>this even more dangerous.
>>
>
>Any bank using plain username/password authentication should be avoided
>at all costs! Such a design is painfully insecure. Any steady
>username/password combination can be obtained and replayed over time.
>
Lovely sentiment (which I actually agree with) but it has the
substantial problem that that means avoiding nearly all consumer banks.
This makes the suggestion impractical to follow.
This is characteristic of a lot of the problems of security in practice:
the security professionals set the bar too high; so high that the people
who have to operate in the field cannot reach it. The field operators
quickly conclude that the sage security advice must be intended for
"someone else", and then wander off and do whatever they think is best.
The result is often horribly insecure practices like using social
security numbers as authenticators.
So lets try to keep it real. Reusable passwords are horrible security
measures, and should be replaced with cryptographic tokens. HOWEVER,
for many, if not most purposes, reusable passwords can provide an
acceptable level of security, especially when combined with
cryptographic tunneling technologies like SSL or SSH. Save the "avoid
at all costs" alarm for truly bone-head moves like non-SSL reusable
passwords or social security number authenticators.
Crispin
--
Crispin Cowan, Ph.D.
Chief Scientist, WireX Communications, Inc. http://wirex.com
Security Hardened Linux Distribution: http://immunix.org
Available for purchase: http://wirex.com/Products/Immunix/purchase.html
