[WEB SECURITY] New two-stage login procedure
Theo Spears
theo at theos.me.uk
Wed Dec 13 19:36:10 EST 2006
On Wednesday 13 December 2006 3:34 pm, Brian Eaton wrote:
> Using randomly selected digits of your PIN is a countermeasure against
> newer trojans that do capture mouse-clicks. If you are logging in
> just one time from a shared PC, the newer trojans won't capture your
> entire PIN, just a few digits. Whether this does any good depends on
> how long your PIN is, and how frequently the bank changes which digits
> it asks for.
>
> If the bank changes the digits with each new login attempt, that could
> be a serious problem. The attacker could keep requesting the page
> over and over again, until the bank asks for three digits the attacker
> already knows. If the bank only changes the digits after a successful
> login, that is better.
>
As a user of this service I can confirm the pin digits requested only changes
after a successful login.
Theo Spears
----------------------------------------------------------------------------
The Web Security Mailing List:
http://www.webappsec.org/lists/websecurity/
The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
More information about the websecurity
mailing list