Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Management
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: PIN policy

from [Eyal Fingold] Network Security [Permanent Link]
Subject: RE: PIN policy
Date: Thu, 14 Jul 2005 13:02:33 +0200 
8 characters including alphabets, numerals and special characters is the
main cause for users to write down their PIN on a note near their
computer/identification device.

I recommend using reasonable and usable PIN to avoid mistreat of PIN.
If:

 - PIN generation and communication process should ensure that only the
Customer has access to it.
 - User-ID and PIN should be communicated separately to customer.
 - Application should force user to change PIN at first login.
 - PIN should be transmitted in encrypted/hashed format from client to
Application should have facility for user to change PIN at any time
without IT-staff assistance.
 - Application should ensure PIN is stored with one-way encryption to
ensure system administrator cannot access  PIN information.
 - Application should lockout users after fixed number of unauthorized
attempts.
 - Lost PIN recovery process should ensure that random PIN are
generated. Application should force change of PIN at next login.



Best Regards
 
Eyal Fingold
Information Security Architect
Itcon Ltd
 
-----Original Message-----
From: Brian [mailto:briant2891@hotmail.com] 
Sent: Wednesday, July 13, 2005 8:32 PM
To: security-management@securityfocus.com
Subject: RE: PIN policy

.       Minimum length 8 characters
.       Not in any dictionary.
.       No word or phrase bearing any connection to the holder.
.       Containing no characters in the ASCII character set.
.       No characters typeable on a Sun type 5 keyboard
.       No subset of one character or more must have appeared on Usenet
news,
/dev/mem, rand(3), or the King James bible (version 0.1alpha)
.       Must be quantum theoretically secure, i.e. must automatically change
if
observed (to protect against net sniffing).
.       Binary representation must not contain any of the sequences 00 01 10
11,
commonly known about in hacker circles.
.       Be provably different from all other passwords on the internet.
.       Not be representable in any human language or written script.
.       Color passwords must use a minimum 32 bit palette.
.       Changed prior to every use.
.       Resistant to revelation under threat of physical violence.
.       Contain tissue samples of at least 3 vital organs.
.       Incontrovertible by OJ Simpson's lawyers.
.       Undecodable by virtue of application of 0 way hash function.
.       Odorless, silent, invisible, tasteless, weightless, shapeless,
lacking
form and inert.
.       Contain non-linear random S-boxes (without a backdoor).
.       Self-escrowable to enable authorities to capture kiddie-porn people
and
baddies but not the goodies ("but we'll only decode it with a court order,
honest").
.       Not decryptable by exhaustive application of possible one time pads.



Hi,

PIN policy could include the following technical areas . Depending on the
delivery channel and its strengths/limitations the specific standards and
guidelines for each channel can be built. e.g. Internet Banking might
allow
8 characters while ATM and IVR might be limited to 4 .

**Strength of PIN**


*

      Minimum length of PIN should be 8 or whatever maximum is permitted
by the application
*

      PIN should include alphabets, numerals and special characters


**PIN generation and communication**


*

      PIN generation and communication process should ensure that only the
customer has access to it.
*

      User-ID and PIN should be communicated separately to customer.


**PIN usage **



*

      Application should force user to change PIN at first login.


**PIN security**


*

      PIN should be transmitted in encrypted/hashed format from client to
server

*

      Application should have facility for user to change PIN at any time
without IT-staff assistance.
*

      Application should ensure PIN is stored with one-way encryption to
ensure system administrator cannot access  PIN information.
*

      Application should lockout users after fixed number of unauthorized
attempts.

**PIN recovery**

*

      Lost PIN recovery process should ensure that random PIN are
generated. Application should force change of PIN at next login.




Jose Varghese

Paladion Networks

Application Security Magazine
http://palisade.paladion.net


  _____

From: Murli Nambiar [mailto:murli.n@rediffmail.com]
Sent: Friday, July 08, 2005 12:33 PM
To: security-management@securityfocus.com
Subject: PIN policy



Hi everyone,

I have a requirement to have a policy on PIN (Personal Identification
Number), would anyone have a PIN policy which could be shared or guide me
towards some resource. I checked across many of the sites like NIST, SANS
but was not able to find anything.

The policy has to be more from a technical angle which every channel (ATM,
IVR or Internet Banking) needs to follow or consider.

Thanks in advance.
Murli






 <http://clients.rediff.com/signature/track_sig.asp>
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: PIN policy, Starnes, Richard
Next by Date:  RE: Security Management System, Prashant Meswani
Previous by Thread:  RE: PIN policy, Brian
Next by Thread:  RE: PIN policy, Starnes, Richard
Indexes:  [Date] [Thread] [Top] [All Lists]