Home page logo

webappsec logo WebApp Sec mailing list archives

Re: Question concerning Access Card
From: Peter Conrad <conrad () tivano de>
Date: Fri, 23 Apr 2004 12:11:22 +0200


On Thu, Apr 22, 2004 at 08:27:12AM -0000, Adrian Wiesmann wrote:

The Access Card which I search whitepapers and descriptions for looks like
that classic game where two players try to sink each others ships on some
matrix. It is nearly credit card sized and has letters on the x axis and
numbers on the y axis building some matrix in the way like this example.
The resulting fields then contain the passwords:


Now my question: Does anybody of you know this method to access online
banking or other websites? Anybody an idea what kind of technology is
behind this list (looks to me like the normal cancellation list only in
another structure to not have to ship a new one after all items where

I don't know if that's the case here, but it looks like a simple way
to make the handling of a very long PIN easier. E. g. I have an online
bank account where I get asked for a random selection of digits from a
longer PIN (e. g. "Please enter digits 3, 7 and 9 from your PIN"). I
suppose in the above case you'd be asked "Please enter PIN b3", which
is basically the same mechanism.

IMO this does not add any real security. A powerful eavesdropper could
reconstruct the Access Card by watching you login repeatedly. A casual
eavesdropper who has seen only one question/response pair could wait until
the same question is asked again and then use the known response.

Peter Conrad                        Tel: +49 6102 / 80 99 072
[ t]ivano Software GmbH             Fax: +49 6102 / 80 99 071
Bahnhofstr. 18                      http://www.tivano.de/
63263 Neu-Isenburg


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]