Security Basics mailing list archives
Re: Bank Of Montreal Online Security
From: Davin Enigl <davinenigl () comcast net>
Date: Tue, 30 Oct 2012 07:50:08 -0700
" . . .Bank Of Montreal online security is shockingly lax. First of all regardless of your password length, it only cares about the first six characters. Even more insane is it doesn't matter what case of the letters are, it will allow you access all the same." This is "old news". 1. This is not a secret. All (yes all) banks using old UNIX systems do this. It's the normal limitations of those UNIX systems. Although I admit most use 8 characters, which is better than 6. There is also usually a three-password error lock out to discourage guessing -- a saving grace. But yes, there is not case-sensitivity and passwords are truncated to 6-9 characters. Example: Wells Fargo also does the same thing the last I checked. 2. I'm surprised people on this list do not know this. 3. Bank password procedures *should* not be a secret. They should be published by the bank. This also applies to every on-line sysetm that use passwords. 4. Fix the system if you think it needs fixing. 5. Hiding flaws ensures it will *not* be fixed any time soon. I am glad someone is disclosing this, but experienced security people already know this. 6. Delay in fixing flaws virtually ensures that hackers will find it first. Look at the U.S. government: 70+ agencies has data loss. How much was encrypted? O%. 7. How about hashing passwords with user-specific-salt and then again with corporate-server salt? How many do this? It's supposed to be Best Practice, yet . . . Example: IEEE didn't (did you see their breach)- yet they CLAIMED they were observing best practice -- Wrong! --Davin Enigl On 10/29/2012 09:26 AM, hankveins () gmail com wrote:
I take it that your money is not invested with the bank. Perhaps you might have thought about publishing this in an open forum if it was?
------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- Bank Of Montreal Online Security mrtolton (Oct 29)
- RE: Bank Of Montreal Online Security Trey Keifer (Oct 29)
- RE: Bank Of Montreal Online Security Alexander A. Kelner (Oct 30)
- RE: Bank Of Montreal Online Security Dave Kleiman (Oct 31)
- RE: Bank Of Montreal Online Security Alexander A. Kelner (Oct 31)
- RE: Bank Of Montreal Online Security Alexander A. Kelner (Oct 30)
- RE: Bank Of Montreal Online Security Trey Keifer (Oct 29)
- <Possible follow-ups>
- Re: Bank Of Montreal Online Security hankveins (Oct 30)
- Re: Bank Of Montreal Online Security Davin Enigl (Oct 30)
- Re: Bank Of Montreal Online Security Alexander Meesters (Oct 30)
- Re: Bank Of Montreal Online Security Davin Enigl (Oct 30)
- Re: Bank Of Montreal Online Security Davin Enigl (Oct 30)
- RE: Bank Of Montreal Online Security Scott Herbert (Oct 31)