Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



WebApp Sec: Re: [WEB SECURITY] SSL does not = a secure website

Re: [WEB SECURITY] SSL does not = a secure website

From: Evert Collab <evert_at_collab.nl>
Date: Wed, 29 Mar 2006 20:00:06 +0200

Invalid characters removed from From: Evert | Collab <evert_at_collab.nl>

Our bank (www.rabobank.nl) dispatches a random-reader. A small device
looking like a calculator.

You insert your bankcard and enter a PIN, it will reply a number which
you can use to log into the site. It won't use the same number twice, so
keyloggers won't work.
When you are confirming a transaction it requires you to re-enter the
PIN along with a 8-digit number displayed on the site. Confirm with the
number displayed on the device.

Seems like a pretty solid approach to me.

A second bank (www.postbank.nl) uses a huge list with numbers. Every
time you login you enter a new number. This method is awkward,
inconvenient and less secure.

Evert

Gervase Markham wrote:
> James Strassburg wrote:
>
>> There are additional countermeasures that a web application can
>> implement. For example, the app could have the user enter his/her
>> password by clicking an onscreen keyboard or ask the user for random
>> characters from their password (enter the 2nd, 4th and 10th character of
>> your password). I should state that while I've read about these I don't
>> know of a web application that makes use of them.
>>
>
> Barclays Bank in the UK uses the latter - a five-digit numeric password,
> specified in full, and a memorable word, of which you specify two
> letters using dropdown lists (so you have to use the mouse).
>
> Gerv
>
> ---------------------------------------------------------------------
> The Web Security Mailing List
> http://www.webappsec.org/lists/websecurity/
>
> The Web Security Mailing List Archives
> http://www.webappsec.org/lists/websecurity/archive/
>
>

-------------------------------------------------------------------------
This List Sponsored by: SpiDynamics

ALERT: "How A Hacker Launches A Web Application Attack!"
Step-by-Step - SPI Dynamics White Paper
Learn how to defend against Web Application Attacks with real-world
examples of recent hacking methods such as: SQL Injection, Cross Site
Scripting and Parameter Manipulation

https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl
--------------------------------------------------------------------------
Received on Mar 29 2006

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos