[WEB SECURITY] New two-stage login procedure

Mark Mcdonald mmcdonald at staff.iinet.net.au
Wed Dec 13 02:28:10 EST 2006

Where do we start...

Inputting the PIN digits and the 'significant date' gives potential phishers even more information about the victim they could use to phone the bank and go to town with.

Using randomly placed digits on a keypad prevents only a JS mouse-movement replay attack and allows anyone in the room to see what's being entered.

The last three digits & the date of last login sound like information you need when you call up the bank and can't provide your password.  Putting them on a web page exposes a little too much information I think, particularly when you only need a (potentially cached) login number and the persons surname, although it may make phishing slightly harder.

It looks like they're trying to close one door but inadvertently opening more.  I'd like to see commentary from the experts around here though...


> -----Original Message-----
> From: Gervase Markham 
> Subject: [WEB SECURITY] New two-stage login procedure
> A financial institution with which I have connections has just come up
> with this:
> http://www.ingdirect.co.uk/email/capig2/animate.gif
> Leaving aside the inaccessibility of their chosen method of demoing,
> what do people think?
> Gerv
> --------------------------------------------------------------------------
> --
> The Web Security Mailing List:
> http://www.webappsec.org/lists/websecurity/
> The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

More information about the websecurity mailing list