Warren Oates <(E-Mail Removed)> hath wroth:
>In article <(E-Mail Removed)>,
> Jeff Liebermann <(E-Mail Removed)> wrote:
>
>> Yes. The packets are secure with WPA2 and a long random password.
>>
>> I'm never sure about the users. For example, many users save their
>> login and passwords in IE6 or Firefox browsers saved passwords. Those
>> are easily read and recovered. I really enjoy the shock value of
>> reading back the passwords to a customer.
>
>My bank doesn't seem to let Firefox keep the password; I don't remember
>ever being asked if I wanted to save it. I wouldn't have done so.
You're correct.
Most banks have more than one login page which vary somewhat as to how
they operate. With one smaller bank, the home page login forces the
browser to NOT remember passwords, while the simpler login pages do
offer to save the password. Most do it by turning off autocomplete
which is another file worth cleaning. Most banks never offer to
remember the password.
It's also fairly easy to circumvent with a Firefox extension or
Javascript
:
|
http://roachfiend.com/archives/2005/...mber-password/
|
http://www.squarefree.com/bookmarkle...ember_password
I wouldn't do it.
When I give myself a tour of users passwords in Firefox, I sometimes
do fine bank passwords, but they are few and far between.
There's also a question of how functional are the web pages in the
first place. See:
|
http://news.bbc.co.uk/1/hi/business/3995019.stm
The discussion following the article has a few relevant points.
>Well, I'm not worried about my _banking_ password, which is long enough
>and complicated enough that no one else will figure it out, and I change
>it frequently as well. I'm not too worried about physical security,
>there's only two of us in the house, and I don't keep anything written
>down in plain sight. The wife is more cautious than I am, if anything.
It appears that you have the security thing fairly well under control.
However, I would feel much better if my bank offered S-Key OTK (one
time key) services for authentication.
|
http://www.aladdin.com/etoken/enterp..._smartcard.asp
|
http://www.verisign.com/products-ser...ion/index.html
The very nature of having a password makes it insecure. If someone
has your password, they own your bank account. That could be
delivered via a keystroke logger, spyware, or other malware. With the
level of complexity found in todays computahs, methinks operating on
the assumption that a machine has been compromised is a fair
assumption. This makes passwords problematic.
>> Also, beware of family members bearing cameras and camcorders while
>> you're logging into online banking. Your keystrokes can be easily
>> recovered.
>
>Never thought of that. Hmm. Cousin Teddy, why are you filming me while I
>pay my gas bill?
Think cell phone camera. I went to dinner with some local geeks. One
of them was covertly recording most of the 2 hour dinner and
conversation with a very small PC and CCD camera. These can also be
obtained from the spy shops. This isn't the one but something like
these would work:
|
http://www.spygadgets.com/micro-mini-dvr.htm
|
http://www.spygadgets.com/undercover-cameras/index.htm
Incidentally, one of my former neighbors 15 year old son was a "finger
hacker". He could watch someone dial a phone number, or type
something on the keyboard, and read back what was typed including
shifted and control characters. Long ago, I drop one IT department
nuts by using their own video security cameras in the server room to
record the keystrokes of the admin logging in on the console.
>> There's also a problem with all shared key schemes such as WPA2. Your
>> router may be secure (assuming you set a router configuration
>> password), but the client computers also need the same key. If the
>> other clients are compromised, so is your entire wireless network.
>That's interesting, but I reckon that if my banking password is secure,
>as I mentioned above, no one that I allow access to my network can get
>at it. Anyway, it's only people I trust that use the wireless
>connection. I'm not running a "hot spot."
Well, even if your wireless network security were compromised, there's
no guarantee that any of the information passed along the wireless
network is useful if encrypted by the bank. There's also no guarantee
that an evil hacker would automatically gain access to your computer
and extract your password from a file. If this is an issue, just use
the Windoze personal firewall to keep other users out of your
computer.
--
Jeff Liebermann
(E-Mail Removed)
150 Felker St #D
http://www.LearnByDestroying.com
Santa Cruz CA 95060
http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558
Similar Threads
Linear Mode
