[WEB SECURITY] SSL does not = a secure website

Evert | Collab evert at collab.nl
Wed Mar 29 13:00:06 EST 2006


Our bank (www.rabobank.nl) dispatches a random-reader. A small device 
looking like a calculator.

You insert your bankcard and enter a PIN, it will reply a number which 
you can use to log into the site. It won't use the same number twice, so 
keyloggers won't work.
When you are confirming a transaction it requires you to re-enter the 
PIN along with a 8-digit number displayed on the site. Confirm with the 
number displayed on the device.

Seems like a pretty solid approach to me.

A second bank (www.postbank.nl) uses a huge list with numbers. Every 
time you login you enter a new number. This method is awkward, 
inconvenient and less secure.

Evert


Gervase Markham wrote:
> James Strassburg wrote:
>   
>> There are additional countermeasures that a web application can
>> implement.  For example, the app could have the user enter his/her
>> password by clicking an onscreen keyboard or ask the user for random
>> characters from their password (enter the 2nd, 4th and 10th character of
>> your password).  I should state that while I've read about these I don't
>> know of a web application that makes use of them.
>>     
>
> Barclays Bank in the UK uses the latter - a five-digit numeric password,
> specified in full, and a memorable word, of which you specify two
> letters using dropdown lists (so you have to use the mouse).
>
> Gerv
>
> ---------------------------------------------------------------------
> The Web Security Mailing List
> http://www.webappsec.org/lists/websecurity/
>
> The Web Security Mailing List Archives
> http://www.webappsec.org/lists/websecurity/archive/
>
>   


---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/



More information about the websecurity mailing list