Re: [WEB SECURITY] SSL does not = a secure website

[Evert | Collab <evert@xxxxxxxxx>]

Our bank (www.rabobank.nl) dispatches a random-reader. A small device 
looking like a calculator.

You insert your bankcard and enter a PIN, it will reply a number which 
you can use to log into the site. It won't use the same number twice, so 
keyloggers won't work.
When you are confirming a transaction it requires you to re-enter the 
PIN along with a 8-digit number displayed on the site. Confirm with the 
number displayed on the device.

Seems like a pretty solid approach to me.

A second bank (www.postbank.nl) uses a huge list with numbers. Every 
time you login you enter a new number. This method is awkward, 
inconvenient and less secure.

Evert


Gervase Markham wrote:
> James Strassburg wrote:
>   
> > There are additional countermeasures that a web application can
> > implement.  For example, the app could have the user enter his/her
> > password by clicking an onscreen keyboard or ask the user for random
> > characters from their password (enter the 2nd, 4th and 10th character of
> > your password).  I should state that while I've read about these I don't
> > know of a web application that makes use of them.
> >     
>
> Barclays Bank in the UK uses the latter - a five-digit numeric password,
> specified in full, and a memorable word, of which you specify two
> letters using dropdown lists (so you have to use the mouse).
>
> Gerv
>
> ---------------------------------------------------------------------
> The Web Security Mailing List
> http://www.webappsec.org/lists/websecurity/
>
> The Web Security Mailing List Archives
> http://www.webappsec.org/lists/websecurity/archive/
>
>   


---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/