"multifactor authentication", question about banking security
Jeremy David
epistemology at gmail.com
Wed Dec 20 08:57:06 PST 2006
On 12/20/06, Tony Abernethy <tony at servacorp.com> wrote:
> Robert Potts wrote:
> Probably an easy way to test. If you can transfer the "encrypted" cookie
> from one machine to another, this means that the cookies could be easily
> harvested and used to access your account without even taking the
> trouble to actually impersonate you.
>
> Methinks it doesn't matter if YOU can decript the cookie, can the bank
> decrypt it and thereby know which account to play "open sesame" with?
>
> Does the bank also ask you for your account#?
If I'm reading this right, the bank asks an extra question if it can't
find the cookie its looking for. It doesn't simply let anyone through
if they have possession of this one cookie.
I don't think this is really a hole, it's just smoke and mirrors.
More information about the Openbsd-newbies
mailing list