From: Richard Quadling >On 14 May 2010 14:47, Bob McConnell <rvm@xxxxxxxxx> wrote: >> Actually, I believe that linking a session to a specific individual >> without reading a biometric key with every http request is an >> unacceptable risk. And no, I don't do any banking online. > > That's why my bank has supplied me with a little card reader for my > bank card, into which I put my pin number. > > So they know it is me because of something I have (my card and card > reader) and something I know (my pin number). > > This is pretty similar to the system we use for our online BACS transactions. > > And yes, I do online banking. That only verifies that it was probably you that initially logged in. There is nothing to prevent someone else from knocking you out and using the session once you have completed that step, or hijacking it after you are done. There are any number of ways to intercept your traffic, such as a poisoned DNS server misdirecting your browser through a man in the middle. Even without that, how long would it take someone else to 'discover' your four digit PIN number if they wanted to? Probably less than an hour with only 9999 possible variations. That's nowhere near safe enough for me. Bob McConnell -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
