The wisdom of the ill informed

Perry E. Metzger perry at piermont.com
Mon Jun 30 19:16:16 EDT 2008 

Ed Gerck <edgerck at nma.com> writes:
> dan at geer.org wrote:
>> So I hold the PIN constant and vary the bank account number.
>
> This is, indeed, a possible attack considering that the same IP may be
> legitimately used by different users behind NAT firewalls and/or with
> dynamic IPs. However, there are a number of reasons, and evidence, why
> this attack can be (and has been) prevented even for a short PIN:

You're completely wrong here. Lets go through just two of the ways.

> 1. there is a much higher number of combinations in a 12-digit account
> number;

There is a lot of structure in most bank account numbers. The space is
pretty easy to narrow down if you do a nickel's worth of homework. For
example, a typical bank bank might have the first three digits code
for the branch (and a list of branches is easy to find), and several
of the additional numbers code for account type, plus the space of
remaining numbers is not exactly randomly assigned. If you need
typical account numbers to examine to learn such secrets, you can buy
them in bulk online these days. I suspect that currently invalid
accounts are probably even cheaper than valid ones, though they're not
a stock item -- you would have to ask to get them.

> 2. banks are able to selectively block IP numbers for the /same/
> browser and /same/ PIN after 4 or 3 wrong attempts,

Not really. These days, there are people hijacking huge IP blocks for
brief periods for spamming. People also hijack vast numbers of zombie
machines. Either technology is easily used to prevent block-by-IP
from doing squat for you.

I'm sure you will now go on about some other way to evade Dan's
crucial point, but it should be obvious to almost anyone that you're
not thinking like the bad guys. If you really want to go on about
this, though, I'll let you have as much rope as you like, though only
for a post or two as I don't want to bore people.

In any case, there are a large number of reasons US banks don't
(generally) require or even allow anyone to enter PINs for
authentication over the internet. I don't know much about the
practices of foreign banks, as for the most part I consult in the US.


Perry
-- 
Perry E. Metzger		perry at piermont.com

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list