- #1
kleinwolf
- 295
- 0
Suppose I do the following : I have an account NUMBER, with a PIN, and an ACCESS CARD with random numbers on it.
The system proposed by the bank makes the following clear : you know which code the next time will be asked to log in...so this means : the bank has clear confidence in the customer ? Because why an ACCESS CARD with numbers...because we were frighten of middle attacks of passwords.
So I can send 1 code only, to somebody with PIN and NUMBER. If the person tries it..makes a transaction...then I can know if it was neutral or not. The person could change the PIN, but then I could notice. So it has either to be neutral in only 1 log...which has to be quickly done. because you can do several transaction on an account with one ACCESS CODE.
But then, from the bank : for your security, we changed your list by 5 positions...what does it mean for me who has done the fraud ?...nobody asked me the next 4 codes...there are 1/9^6 chances at each code to be found...because since the bank has control on the account, the bank can control the account without making the list change, because else I could see on my side...when I receive by paper the account statement at home, the list does not change for access code...so now the person could ask through the bank to give me the money as the other wants? I don't know which kind of lawsuit I'll get...
So what have I done ? I proposed : if the person wants a certain amount of money, it can take before some date, in order to have a delay for decision, in a few years. But inbetween I used the money myself...so i locked the person and myself. But what did the bank do ? It verified if I still had the money ??..no...because I never told the bank, but the person...since I have not...I'm in fraud...not towards the bank, but towards the person, who, through the bank, accuses me of "fallacious possibility of money making"...if i do the same but i put the data on a website, or with a kind of path : like click here to have password...
It's like if I say : I give you 100 tomorrow...but I use them.
There are other systems like : the code changes all the time you load the page...so if the periodicity is clear, because you have the whole list, then the same error can be done...that kind of system is easily put in order by the insituiton, just make a non periodic function.
But there are systems of transactional security which do not allow that kind of fraud...: they don't give you the list...but a random generator, that even with the same INPUT code from the bank, you cannot know what is the output, because it's different at each time. The user can check...and cannot give the code to somebody, because the next time it will be else, even for him.
So may I say : well I could do the previous fraud, because your system is evidently possible to put in that kind of problems ??
The system proposed by the bank makes the following clear : you know which code the next time will be asked to log in...so this means : the bank has clear confidence in the customer ? Because why an ACCESS CARD with numbers...because we were frighten of middle attacks of passwords.
So I can send 1 code only, to somebody with PIN and NUMBER. If the person tries it..makes a transaction...then I can know if it was neutral or not. The person could change the PIN, but then I could notice. So it has either to be neutral in only 1 log...which has to be quickly done. because you can do several transaction on an account with one ACCESS CODE.
But then, from the bank : for your security, we changed your list by 5 positions...what does it mean for me who has done the fraud ?...nobody asked me the next 4 codes...there are 1/9^6 chances at each code to be found...because since the bank has control on the account, the bank can control the account without making the list change, because else I could see on my side...when I receive by paper the account statement at home, the list does not change for access code...so now the person could ask through the bank to give me the money as the other wants? I don't know which kind of lawsuit I'll get...
So what have I done ? I proposed : if the person wants a certain amount of money, it can take before some date, in order to have a delay for decision, in a few years. But inbetween I used the money myself...so i locked the person and myself. But what did the bank do ? It verified if I still had the money ??..no...because I never told the bank, but the person...since I have not...I'm in fraud...not towards the bank, but towards the person, who, through the bank, accuses me of "fallacious possibility of money making"...if i do the same but i put the data on a website, or with a kind of path : like click here to have password...
It's like if I say : I give you 100 tomorrow...but I use them.
There are other systems like : the code changes all the time you load the page...so if the periodicity is clear, because you have the whole list, then the same error can be done...that kind of system is easily put in order by the insituiton, just make a non periodic function.
But there are systems of transactional security which do not allow that kind of fraud...: they don't give you the list...but a random generator, that even with the same INPUT code from the bank, you cannot know what is the output, because it's different at each time. The user can check...and cannot give the code to somebody, because the next time it will be else, even for him.
So may I say : well I could do the previous fraud, because your system is evidently possible to put in that kind of problems ??