Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Management
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: PIN policy

from [Starnes, Richard] Network Security [Permanent Link]
Subject: RE: PIN policy
Date: Fri, 15 Jul 2005 10:50:10 +0100 
You might have a look at this:

http://www.apacs.org.uk/downloads/PIN_Administration_Policy.pdf

Richard Starnes, MSc, CISSP, BS7799 Auditor, MCSE
Director of Incident Response
Managed Security Operations Centre (MSOC)
Cable and Wireless
E-mail: richard.starnes@cw.com
Fax: +44 (0) 207-758-4001
Mobile: +44 (0) 77-7167-3727
Direct: +44 (0) 208-955-0868
Skype: CALLTO://rstarnes

President, ISSA UK chapter <http://www.issa-uk.org/>
Best Managed Security Service, SC Magazine Awards, Finalist 2003, 2005
Best Information Security Manager, SC Magazine Awards, Finalist 2005



-----Original Message-----
From: Starnes, Richard 
Sent: 14 July 2005 09:47
To: security-management@securityfocus.com
Subject: RE: PIN policy


How does your definition differ from that of a password?

Richard Starnes, MSc, CISSP, BS7799 Auditor, MCSE
Director of Incident Response
Managed Security Operations Centre (MSOC)
Cable and Wireless
E-mail: richard.starnes@cw.com
Fax: +44 (0) 207-758-4001
Mobile: +44 (0) 77-7167-3727
Direct: +44 (0) 208-955-0868
Skype: CALLTO://rstarnes

President, ISSA UK chapter <http://www.issa-uk.org/>
Best Managed Security Service, SC Magazine Awards, Finalist 2003, 2005
Best Information Security Manager, SC Magazine Awards, Finalist 2005



-----Original Message-----
From: Brian [mailto:briant2891@hotmail.com]
Sent: 13 July 2005 19:32
To: security-management@securityfocus.com
Subject: RE: PIN policy


*   Minimum length 8 characters
*   Not in any dictionary.
*   No word or phrase bearing any connection to the holder.
*   Containing no characters in the ASCII character set.
*   No characters typeable on a Sun type 5 keyboard
*   No subset of one character or more must have appeared 
on Usenet news,
/dev/mem, rand(3), or the King James bible (version 0.1alpha)
*   Must be quantum theoretically secure, i.e. must 
automatically change if
observed (to protect against net sniffing).
*   Binary representation must not contain any of the 
sequences 00 01 10 11,
commonly known about in hacker circles.
*   Be provably different from all other passwords on the internet.
*   Not be representable in any human language or written script.
*   Color passwords must use a minimum 32 bit palette.
*   Changed prior to every use.
*   Resistant to revelation under threat of physical violence.
*   Contain tissue samples of at least 3 vital organs.
*   Incontrovertible by OJ Simpson's lawyers.
*   Undecodable by virtue of application of 0 way hash function.
*   Odorless, silent, invisible, tasteless, weightless, 
shapeless, lacking
form and inert.
*   Contain non-linear random S-boxes (without a backdoor).
*   Self-escrowable to enable authorities to capture 
kiddie-porn people and
baddies but not the goodies ("but we'll only decode it with a 
court order,
honest").
*   Not decryptable by exhaustive application of possible 
one time pads.



Hi,

PIN policy could include the following technical areas . 

Depending on the

delivery channel and its strengths/limitations the specific 

standards and

guidelines for each channel can be built. e.g. Internet 

Banking might

allow
8 characters while ATM and IVR might be limited to 4 .

**Strength of PIN**


*

  Minimum length of PIN should be 8 or whatever maximum 

is permitted

by the application
*

  PIN should include alphabets, numerals and special characters


**PIN generation and communication**


*

  PIN generation and communication process should ensure 

that only the

customer has access to it.
*

  User-ID and PIN should be communicated separately to customer.


**PIN usage **



*

  Application should force user to change PIN at first login.


**PIN security**


*

  PIN should be transmitted in encrypted/hashed format 

from client to

server

*

  Application should have facility for user to change PIN 

at any time

without IT-staff assistance.
*

  Application should ensure PIN is stored with one-way 

encryption to

ensure system administrator cannot access  PIN information.
*

  Application should lockout users after fixed number of 

unauthorized

attempts.

**PIN recovery**

*

  Lost PIN recovery process should ensure that random PIN are
generated. Application should force change of PIN at next login.




Jose Varghese

Paladion Networks

Application Security Magazine
http://palisade.paladion.net


  _____

From: Murli Nambiar [mailto:murli.n@rediffmail.com]
Sent: Friday, July 08, 2005 12:33 PM
To: security-management@securityfocus.com
Subject: PIN policy



Hi everyone,

I have a requirement to have a policy on PIN (Personal 

Identification

Number), would anyone have a PIN policy which could be 

shared or guide me

towards some resource. I checked across many of the sites 

like NIST, SANS

but was not able to find anything.

The policy has to be more from a technical angle which 

every channel (ATM,

IVR or Internet Banking) needs to follow or consider.

Thanks in advance.
Murli






 <http://clients.rediff.com/signature/track_sig.asp>









This e-mail has been scanned for viruses by the Cable & Wireless e-mail 
security system - powered by MessageLabs. For more information on a proactive 
managed e-mail security service,  visit http://www.cw.com/uk/emailprotection/ 
 
The information contained in this e-mail is confidential and may also be 
subject to legal privilege. It is intended only for the recipient(s) named 
above. If you are not named above as a recipient, you must not read, copy, 
disclose, forward or otherwise use the information contained in this email. If 
you have received this e-mail in error, please notify the sender (whose contact 
details are above) immediately by reply e-mail and delete the message and any 
attachments without retaining any copies.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Infosec User Awareness And Training Handbook, Cyber Gardie
Next by Date:  Segregation of Duities and least priviliges for DB, Nabil MALIK / KTEFH - OTAS
Previous by Thread:  RE: PIN policy, Starnes, Richard
Next by Thread:  Development of Information Security Professionals, Adnan Shahid
Indexes:  [Date] [Thread] [Top] [All Lists]