On Fri, 2010-05-14 at 10:26 -0400, Bob McConnell wrote: > From: Richard Quadling > > >On 14 May 2010 14:47, Bob McConnell <rvm@xxxxxxxxx> wrote: > >> Actually, I believe that linking a session to a specific individual > >> without reading a biometric key with every http request is an > >> unacceptable risk. And no, I don't do any banking online. > > > > That's why my bank has supplied me with a little card reader for my > > bank card, into which I put my pin number. > > > > So they know it is me because of something I have (my card and card > > reader) and something I know (my pin number). > > > > This is pretty similar to the system we use for our online BACS > transactions. > > > > And yes, I do online banking. > > That only verifies that it was probably you that initially logged in. > There is nothing to prevent someone else from knocking you out and using > the session once you have completed that step, or hijacking it after you > are done. There are any number of ways to intercept your traffic, such > as a poisoned DNS server misdirecting your browser through a man in the > middle. > > Even without that, how long would it take someone else to 'discover' > your four digit PIN number if they wanted to? Probably less than an hour > with only 9999 possible variations. That's nowhere near safe enough for > me. > > Bob McConnell > Actually, a 4-digit pin has 10,000 combinations (0000 through 9999 inclusively) It becomes more interesting if you allow for letters as well, with case sensitivity, so the permutations would become 62^4 (52 letters & 10 numbers) Thanks, Ash http://www.ashleysheridan.co.uk
