[WEB SECURITY] New two-stage login procedure

Theo Spears theo at theos.me.uk
Wed Dec 13 19:36:10 EST 2006


On Wednesday 13 December 2006 3:34 pm, Brian Eaton wrote:

> Using randomly selected digits of your PIN is a countermeasure against
> newer trojans that do capture mouse-clicks.  If you are logging in
> just one time from a shared PC, the newer trojans won't capture your
> entire PIN, just a few digits.  Whether this does any good depends on
> how long your PIN is, and how frequently the bank changes which digits
> it asks for.
>
> If the bank changes the digits with each new login attempt, that could
> be a serious problem.  The attacker could keep requesting the page
> over and over again, until the bank asks for three digits the attacker
> already knows.  If the bank only changes the digits after a successful
> login, that is better.
>

As a user of this service I can confirm the pin digits requested only changes 
after a successful login.

Theo Spears

----------------------------------------------------------------------------
The Web Security Mailing List: 
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]



More information about the websecurity mailing list