Robert Potts wrote: > > This question may not be appropriate for this list, I do not know, if > there is another list it should be posted on please let me know! > > Recently my banking institution has changed the method for logging in. > You must be able to answer test questions if you do not log in from the > usual "computer" (which actually, if you read below, means "browser"). > The method they use to know if you are logging in from the same computer > (read again as "browser") is an encrypted cookie. > > The only personal info they send (they claim) is the member number. I > don't have reason to doubt them, but I wonder if this is the whole truth. > > I'm curious if 1) this is actually a good way to do it and 2) if this is > actually a security enhancement, what are the potential risks and > vulnerabilities, and is the "encrypted cookie" going to be able to be > decrypted fairly easily or not. > > I am no expert, but I do have a lot of curiosity about this. My gut > feeling is they are implementing something that appears to the > uneducated user as an enhancement, but in reality is something more > along the lines of "security through obscurity". Banks seem to be all > to willing to rely on OS's that are inherently insecure, and often seem > to have somewhat amateurish approaches to security issues. > > I appreciate any and all responses, and again, if there is a better > place to post this please let me know.
Probably an easy way to test. If you can transfer the "encrypted" cookie from one machine to another, this means that the cookies could be easily harvested and used to access your account without even taking the trouble to actually impersonate you. Methinks it doesn't matter if YOU can decript the cookie, can the bank decrypt it and thereby know which account to play "open sesame" with? Does the bank also ask you for your account#? _______________________________________________ Openbsd-newbies mailing list [email protected] http://mailman.theapt.org/listinfo/openbsd-newbies
