actually richar, and others... depending on what they're doing, it's quite alot to it. if the bank is being agressive, they might be requiring a client app to be downloaded and is then able to communicate with the client app, thereby getting a great deal more information. a few companies have begun the process of not just dealing with authorizing the user, but the computer/device as well. and it really makes sense. in this way, i as a business can state with a high degree of confidence that the computer in the house (assuming i as a business were to take it that far) was used for the transaction in question... furthermore, if the dispute isn't satisfied, i can then add the computer to a "blacklist" of devices.. if enough companies use this kind of system, and the database is large enough, it becomes an additional tool to use to minimize online transaction abuse... as to if people want to be part of this kind of system.. that's a huge unknown... to be frank, it does open up a number of potential 'privacy' issues.. but as scott mcnealy said before.."you have no privacy, get over it!!" peace... ps. check out www.passmarksecurity.com -----Original Message----- From: Richard Lynch [mailto:ceo@xxxxxxxxx] Sent: Monday, October 02, 2006 2:11 PM To: Rahul S. Johari Cc: PHP Subject: Re: Client Computer Registration On Mon, October 2, 2006 7:07 am, Rahul S. Johari wrote: > I saw this at the Key.Com website for Keybank Customers. When you go > to > their website to login to view your account, they ask you to register > your > computer for the first time. Once your computer is registered, you can > access the account using that computer. You can choose to Not register > that > computer and you won¹t be able to access the account using that > computer in > future. > > What exactly are they doing? Almost-for-sure, they are just giving you a dated cookie instead of a session cookie, and that's it. > Can PHP record the MAC Address of the NIC in the computer? Or are they > just > recording the IP and creating an IP based filteration? They are almost-for-sure not getting your MAC because that's impossible to the best of my knowledge. And they'd have to be complete and total idiots to use the IP address for authentication/identification. Though, honestly, if this is your BANK, they've really got no business allowing you to "register" your computer like this... I mean, somebody breaks into your home and takes the thing, and "poof" there went your bank account too? [the follow paragraph ASSUMES the existence of a likely virus and security hole to be exploited. It is not a statement of existing fact.] Or some nifty new virus comes along, and they find your cookies with that known security hole for Keybank in there with a way to get to your bank account?! > I¹m looking to implement a similar security system for one of my > applications. I mean, yeah, for some stupid on-line forum or something, sure. But your bank acount?! No way, Jose. Don't do it. > Any advice? Read the cookies spec. Use the set_cookie_params function in the PHP manual. There really isn't a whole lot to this... -- Some people have a "gift" link here. Know what I want? I want you to buy a CD from some starving artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
