Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Two-Factor Authentication on the Web

from [Christian Kanakis] Network Security [Permanent Link]
Subject: RE: Two-Factor Authentication on the Web
Date: Fri, 30 Jun 2006 17:39:26 +0300 
Wouldnât biometrics be intercept-able as data transmission packets and faked 
when used over a civilian network?

-----Original Message-----
From: Tim [mailto:pand0ra.usa@gmail.com] 
Sent: Friday, 30 June 2006 9:04 AM
To: Nick Owen
Cc: Harper. Matthew; RSD; webappsec@securityfocus.com
Subject: Re: Two-Factor Authentication on the Web

I don't see the credit bureau's jumping on that wagon. Currently there
is no risk to them and they are making money hand-over-fist because of
ID theft. Since there is no risk why would they shell out tons of
money to come up with a solution for someone elses problem?
I do agree that the initial validation of someones identity is
problematic. The document here is talking about authentication, which
is related to the initial validation and trying to initially validate
every user through a definite means is impractical. Since names and
social security numbers and other similar concepts are labels that we
apply to ourselves the only way I see that you can accurately validate
someone would be through biometrics (something you are) . Granted
there can be issues with replay attacks but it could be used for
initial identification. There is no way you can really validate
someones identity without them being there in person (start the flame
war). Sure, you can lie when you go in but the risk of being caught is
much higher. I see one of the problems being that a financial
institution has to find a balance that is cost effective and can
reasonably validate someones identity remotely. Sorry about some of
the fragmented sentences, but I have ahd enough fun for one day.




Seems to me that transaction analysis would be tough to do on a credit
application.  Where is the history? (I assume your company only does
online credit apps.) Any 2FA system might also be problematic: how do
you do the initial validation & credentialing?  If you can do the
initial validation securely, why not use that as the risk mitigation
method? Seems to me this is a good opportunity for a credit bureau to
partner with an authentication vendor to offer initial
validation/credentialing and 2FA.

nick

--
Nick Owen
WiKID Systems, Inc.
404.962.8983
http://www.wikidsystems.com
Commercial/Open Source Two-Factor Authentication
https://www.linkedin.com/in/nickowen

-------------------------------------------------------------------------
Sponsored by: Watchfire

As web applications become increasingly complex, tremendous amounts of
sensitive data - personal, medical and financial - are exchanged, and
stored. Consumers expect and demand security for this information. This
whitepaper examines a few vulnerability detection methods - specifically
comparing and contrasting manual penetration testing with automated
scanning tools. Download "Automated Scanning or Manual Penetration
Testing?" today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701300000008BOQ
--------------------------------------------------------------------------


-------------------------------------------------------------------------
Sponsored by: Watchfire

As web applications become increasingly complex, tremendous amounts of 
sensitive data - personal, medical and financial - are exchanged, and 
stored. Consumers expect and demand security for this information. This 
whitepaper examines a few vulnerability detection methods - specifically 
comparing and contrasting manual penetration testing with automated 
scanning tools. Download "Automated Scanning or Manual Penetration 
Testing?" today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmm
--------------------------------------------------------------------------



-------------------------------------------------------------------------
Sponsored by: Watchfire

As web applications become increasingly complex, tremendous amounts of 
sensitive data - personal, medical and financial - are exchanged, and 
stored. Consumers expect and demand security for this information. This 
whitepaper examines a few vulnerability detection methods - specifically 
comparing and contrasting manual penetration testing with automated 
scanning tools. Download "Automated Scanning or Manual Penetration 
Testing?" today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008Vmm
--------------------------------------------------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Two-Factor Authentication on the Web, Tim
Next by Date:  Re: Two-Factor Authentication on the Web, Andrew van der Stock
Previous by Thread:  Re: Two-Factor Authentication on the Web, Tim
Next by Thread:  Re: Two-Factor Authentication on the Web, Andrew van der Stock
Indexes:  [Date] [Thread] [Top] [All Lists]