von at fugal.net
Sun Mar 18 17:53:28 MDT 2007
* Levi Pearson [Wed, 14 Mar 2007 at 11:22 -0600]
> Topher Fischer <javert42 at cs.byu.edu> writes:
> > Since I've started working on this, I haven't used a login form that
> > wasn't given to me over SSL. Luckily, everything I use has some sort of
> > secure login form somewhere on their site. I've tried to find one for
> > Zion's bank, and haven't been able to. Fortunately, I don't bank with them.
> Zion's Bank uses one of those new-fangled multi-step logins. You
> enter your user id on the front page, and then you are shown a picture
> and asked a question (over a ssl connection) or, if you've previously
> done this step and got a cookie, you're shown a picture and asked to
> enter your password. Since only the user id is entered into the form
> in the non-ssl page, it should be safe from your particular attack.
Unfortunately, with Zions, at least as far as I've seen, the "username"
that they use is your SSN. On top of that, what I really don't get is
why if you try to put https in front of the home page it just fails to
load at all. I called once about this but lost patience when the
bonehead on the phone just insisted that "the password page is secure".
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: Digital signature
Url : http://plug.org/pipermail/plug/attachments/20070318/24091331/attachment.bin
More information about the PLUG