Site Security Planning

Authentication

Customers will open accounts and connect with your firm over the Internet, using the online authentication scheme you choose. Easily read IDs and passwords could be vulnerable to interception as they are transmitted over the Internet.

Some would-be intruders also possess the tools to decrypt passwords that are encrypted. Password-cracking programs intercept encrypted password files, then match the passwords to encrypted known passwords by using a pattern matching method. The matches are stored for later use against the site that sent the original encrypted passwords. For example, intruders sometimes use a program named L0phtcrack to decrypt passwords from Server Message Blocks (SMB), which are intercepted as they are being transmitted across the Internet.

Spoofing is an insidious method used for gaining access to user IDs, passwords, and other private information. A spoofing operation uses network communications to fool the user into participating in an illegitimate event. The attacker sends what appears to be a legitimate Web server or network service link (spoofing the server or service) for the purpose of collecting important private information.

For example, an attacker might intercept an Internet communication, then send the user a dialog box with the false message that network service has been interrupted. The attacker then requests that the user log on again using his or her user ID and password. Spoofs can be used to hijack Telnet sessions, communications with boards and chat sessions, or e-mail transmissions.