Re: pen testing https portal?

From: Paolo Scarabelli (paolo@msw.it)
Date: Sun Sep 10 2006 - 07:06:10 EDT

• Next message: Joe: "Genuine Class: Beautiful Watches At Major Discounts"
• Previous message: mismail@postmaster.co.uk: "Re: Re: pen testing https portal?"
• In reply to: Nathan Keltner: "Re: pen testing https portal?"
• Next in thread: Nick Besant: "RE: pen testing https portal?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I believe he means that the user has a 10 digits pin and the form asks
for some randomly selected digits.

I.E: the pin is 0192837465
if the form asks for 1234 the user will have to enter 0192
if the form asks for 5678 the user will have to enter 8374
if the form asks for 1357 the user will have to enter 0987
Etc.

I came across some eBanking and Mobile Banking (via SMS) applications
using this system in Indonesia.

Regards,

Paolo

Nathan Keltner wrote:
> Is the 1st pin ('1234') static? I.e., does it change into '0192',
> requiring the user to write down their current PIN after every login?
> I'm guessing that's not the case b/c of the difficulties users would
> have with such a system.
>
> So, assuming '1234' is your PIN all the time, and the temporary '0192'
> changes each login, you're effectively using '1234' as the password
> every time. The '0192' is irrelevant from a security perspective, and
> probably an unneeded burden on your users. It doesn't buy you any
> more security that I can see, other than requiring two passwords
> ('1234' and 'password'). It is not two-factor or a similar solution.
>
> On 7 Sep 2006 20:44:39 -0000, mismail@postmaster.co.uk
> <mismail@postmaster.co.uk> wrote:
>> has any ever tested a https portal?
>>
>>
>> basically i have a client who has constructed a https portal to all
>> works logon on from anywhere and access apps and files.
>>
>>
>> how it works is the username and pw are the users AD logon details,
>> the pin is emailed to the user, so for example when the user logs on
>> he has a button saying generate pin!
>>
>>
>> now say for example he has a pin of 1234 when hits generate pin a
>> picture comes up like this
>>
>>
>> 1234567890
>>
>> 0192837465
>>
>>
>> so the user find his 1st number in his pin, and types the number below
>> it, same with 234 and enters that into the pin field:
>>
>>
>> username: bloggs
>>
>> pw: password
>>
>> pin: 0192
>>
>>
>> the pin is one time unique! has anyone ever come across a setup like
>> this?
>>
>>
>> sorry for the long post!
>>
>>
>> hope you can help!
>>
>> ------------------------------------------------------------------------
>> This List Sponsored by: Cenzic
>>
>> Need to secure your web apps?
>> Cenzic Hailstorm finds vulnerabilities fast.
>> Click the link to buy it, try it or download Hailstorm for FREE.
>> http://www.cenzic.com/products_services/download_hailstorm.php
>> ------------------------------------------------------------------------
>>
>>
>
>
> On 7 Sep 2006 20:44:39 -0000, mismail@postmaster.co.uk
> <mismail@postmaster.co.uk> wrote:
>> has any ever tested a https portal?
>>
>>
>> basically i have a client who has constructed a https portal to all
>> works logon on from anywhere and access apps and files.
>>
>>
>> how it works is the username and pw are the users AD logon details,
>> the pin is emailed to the user, so for example when the user logs on
>> he has a button saying generate pin!
>>
>>
>> now say for example he has a pin of 1234 when hits generate pin a
>> picture comes up like this
>>
>>
>> 1234567890
>>
>> 0192837465
>>
>>
>> so the user find his 1st number in his pin, and types the number below
>> it, same with 234 and enters that into the pin field:
>>
>>
>> username: bloggs
>>
>> pw: password
>>
>> pin: 0192
>>
>>
>> the pin is one time unique! has anyone ever come across a setup like
>> this?
>>
>>
>> sorry for the long post!
>>
>>
>> hope you can help!
>>
>> ------------------------------------------------------------------------
>> This List Sponsored by: Cenzic
>>
>> Need to secure your web apps?
>> Cenzic Hailstorm finds vulnerabilities fast.
>> Click the link to buy it, try it or download Hailstorm for FREE.
>> http://www.cenzic.com/products_services/download_hailstorm.php
>> ------------------------------------------------------------------------
>>
>>
>
> ------------------------------------------------------------------------
> This List Sponsored by: Cenzic
>
> Need to secure your web apps?
> Cenzic Hailstorm finds vulnerabilities fast.
> Click the link to buy it, try it or download Hailstorm for FREE.
> http://www.cenzic.com/products_services/download_hailstorm.php
> ------------------------------------------------------------------------
>
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFFA/GhqAaEpZvj+VMRApR9AJwPn8v5U5Pd8rVqiNmecz6iRs+WhACff0pn
WGaI0jDBBL29BEmJ6c5woeg=
=bQFP
-----END PGP SIGNATURE-----

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php
------------------------------------------------------------------------

• Next message: Joe: "Genuine Class: Beautiful Watches At Major Discounts"
• Previous message: mismail@postmaster.co.uk: "Re: Re: pen testing https portal?"
• In reply to: Nathan Keltner: "Re: pen testing https portal?"
• Next in thread: Nick Besant: "RE: pen testing https portal?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:56:55 EDT