 |  |  |
 |
What is swallowing of a Sesame confirmation code?If a Sesame code is swallowed, it cannot be used again. It was basically a good code, but some other part of the transaction failed. One of the result codes for a Sesame confirmation attempt is that the code entered was swallowed. This is not bad in any way, it merely indicates that something other than the Sesame confirmation code made the transaction fail. For the user, it means that a new code must be entered after entering a correct Sesame confirmation code that got swallowed. So, the card must be inserted into the reader device once more. Exploit thwartetIf confirmation codes wouldn't be swallowed in such situations, there would be an easy way to guess a confirmation code: Simply by setting up an account to demand two cards in a confirmation -- one which we hold, and another which we want to guess. We use the card in our possession to generate Sesame confirmation codes, but we will knowingly and willingly enter another code. At the same time, we make guesses at the possible confirmation codes for the other card. At some point, the other card may not cause a failure, but our own card causes the transaction as a whole to fail. Hadn't the correct code for the other card been swallowed, then the next code for that card would have been guessed. This would effectively have made it useless to demand more than one Sesame card to confirm transactions. In general, the idea of swallowing is that it avoids that the same code can be tried multiple times; this is also why we store wrongly guessed codes, to mark off their place in the sequence and demand a new guess at a fresh number for the next attempt. Posted on Tue, 02 May 2006, 11:08. |
spin-off |  |