WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Question concerning Access Card

From: "Lluis Mora" <llmora () sentryware com>
Date: Fri, 23 Apr 2004 15:10:16 +0200
Hi Adrian,

This authentication scheme is widely used in Spanish online banking systems
(as well as phone banking). Is is usually the second part of a two step
process:

1 - The user is asked for a "traditional" username and password on login
(this allows the user to check balances, statements, etc)
2 - Before authorizing any balance transfer, the user is requested to use
his "access card" to input the value at a certain X,Y position (or
potentially two or three X,Y pairs)

AFAIK, the cards are not unique (e.g. two users might receive exactly the
same array of letters/numbers) and they are identified by an ID on the back
of the card. They are not replaced after a certain amount of transaction
have been performed (e.g. you get to input the same X,Y pair value twice)


From: Peter Conrad [mailto:conrad () tivano de] 

IMO this does not add any real security. A powerful 
eavesdropper could reconstruct the Access Card by watching 
you login repeatedly. A casual eavesdropper who has seen only 
one question/response pair could wait until the same question 
is asked again and then use the known response.


About eavesdropping, one could think that with both ends knowing the value
of the requested X,Y pair, a simple challenge/response might do the trick to
avoid sniffing or replay attacks:

V = Value of pair (X,Y)
C = Random generated challenge

- Server sends C,X,Y to Client
- Client lookup up V in his "access card", calculates a hash of a function
of C and V and sends the result to the server
- Server calculates the hash of the function of C and V and compares the
results

Or something more criptographically secure :)

Alternatively I guess that by asking a combination of more than one X,Y pair
you narrow down the possibilities of the same sequence being seen twice. The
systems I have used ask you for 3 pairs from a card of 8x8 values. There are
64^3=262144 possible different questions the system can ask you before
repeating the same question, by far more than the transactions I will ever
do online :)

At least in Spain it is commonly known as the "Sink the ship" card, so you
were not far off with your guessing :)

Cheers,

Lluis
.
Previous By Date Next
Previous By Thread Next

Current thread: