On 14 May 2010 15:26, Bob McConnell <rvm@xxxxxxxxx> wrote: > From: Richard Quadling > >>On 14 May 2010 14:47, Bob McConnell <rvm@xxxxxxxxx> wrote: >>> Actually, I believe that linking a session to a specific individual >>> without reading a biometric key with every http request is an >>> unacceptable risk. And no, I don't do any banking online. >> >> That's why my bank has supplied me with a little card reader for my >> bank card, into which I put my pin number. >> >> So they know it is me because of something I have (my card and card >> reader) and something I know (my pin number). >> >> This is pretty similar to the system we use for our online BACS > transactions. >> >> And yes, I do online banking. > > That only verifies that it was probably you that initially logged in. > There is nothing to prevent someone else from knocking you out and using > the session once you have completed that step, or hijacking it after you > are done. There are any number of ways to intercept your traffic, such > as a poisoned DNS server misdirecting your browser through a man in the > middle. > > Even without that, how long would it take someone else to 'discover' > your four digit PIN number if they wanted to? Probably less than an hour > with only 9999 possible variations. That's nowhere near safe enough for > me. > > Bob McConnell > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > The pin pad requires my 4 digit pin and generates an 8 digit number which is required by the bank's web site (100 million combinations and must match expectation on the server). The 8 digit number is different every time. And 3 failed logins disables the login until I go through security via the phone. And then I still have to use the same data to try again. The channel is https ONLY - you cannot login on http. I also keep my front door locked and I trust my wife and kids to not knock me out, though the way the kids play up sometimes ... DNS poisoning is certainly a possibility. The Blue Frog incident a few years ago certainly revealed a weakness in DNS servers (the operators). And you are right, essentially a man-in-the-middle is still not defendable (AFAIK). -- ----- Richard Quadling "Standing on the shoulders of some very clever giants!" EE : http://www.experts-exchange.com/M_248814.html EE4Free : http://www.experts-exchange.com/becomeAnExpert.jsp Zend Certified Engineer : http://zend.com/zce.php?c=ZEND002498&r=213474731 ZOPA : http://uk.zopa.com/member/RQuadling -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
