[shameless plug] Re: [clug] New script based Phishing makes Windows even less safe.

Martijn van Oosterhout kleptog at svana.org
Tue Nov 9 22:56:59 GMT 2004

On Wed, Nov 10, 2004 at 08:41:05AM +1100, Alex Satrapa wrote:
> On 9 Nov 2004, at 19:54, Sam Couter wrote:
> >Not many banks, or no banks?
> I think I should have said, "no financial institution that I am aware 
> of". What I've heard is that apart from the cost of the credit-card 
> sized number sequence generator (aka "one time pad") and its ease of 
> loose, they feel that most people would get confused about the security 
> protocol.

I can tell you that at least one bank here in Holland issues little
devices (called e-dentifiers, clever no? :) ) that work as follows:

1. You go to the internet banking site and enter your account number
and card number (these are printed on the card). These can be stored in
a cookie if you like.
2. You place your card (with a smart chip in it) in the e-dentifier and
enter your PIN. These devices are not keyed to a particular person, you
can you anyone's device. The card is the key.
3. You then type in the 8-digit (presumably random) code you get from
the website into the device. It thinks a bit and spits back a 6-digit
4. Enter the 6-digit number into the website and you're in.

Which basically makes getting into internet banking require exactly as
much info as you need to use an ATM or make payments with the card. And
I've never heard anyone complain that it's too complicated. They
actually feel it's pretty secure. It certainly feels like it, I wonder
about the algorithm used but they don't tell you that, I'm sure.

Duplicating the card by copying the stripe won't work since the stripe
is ignored and I think those smart card chips are pretty tamper proof.
Seems like practical real-world challenge-response authentication.

Ofcourse, in Australia there's not a smart card in sight, so you'd have
give some kind of swipe thingy, which would seem to be quite a bit
bulkier and more prone to dropping than these things. I havn't worked
out where the power comes from yet, probably a battery.

Oh yeah, and the banks here make money by using your money for other
things rather than charge you bank fees. None of this stuff they send
you for internet banking costs you a cent.

Have a nice day,
Martijn van Oosterhout   <kleptog at svana.org>   http://svana.org/kleptog/
> Patent. n. Genius is 5% inspiration and 95% perspiration. A patent is a
> tool for doing 5% of the work and then sitting around waiting for someone
> else to do the other 95% so you can sue them.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: not available
Url : http://lists.samba.org/archive/linux/attachments/20041109/ca8d0522/attachment.bin

More information about the linux mailing list