[shameless plug] Re: [clug] New script based Phishing makes Windows even less safe.

Daniel McNamara daniel at codefish.net.au
Tue Nov 9 23:10:49 GMT 2004

Bendigo Bank is testing a simliar device at present but to the best of 
my knowledge none of the major banks have. I do know some of them are 
testing a new system where if you need to make large transactions via 
net banking you need to have your mobile handy as they SMS you an 
authentication code.

Not sure how they obtain the mobile phone number but I assume you need 
to present it in person at the bank (after all entering it into the net 
banking would be a little pointless if someone has unauthorised access 
to your net banking account)


>I can tell you that at least one bank here in Holland issues little
>devices (called e-dentifiers, clever no? :) ) that work as follows:
>1. You go to the internet banking site and enter your account number
>and card number (these are printed on the card). These can be stored in
>a cookie if you like.
>2. You place your card (with a smart chip in it) in the e-dentifier and
>enter your PIN. These devices are not keyed to a particular person, you
>can you anyone's device. The card is the key.
>3. You then type in the 8-digit (presumably random) code you get from
>the website into the device. It thinks a bit and spits back a 6-digit
>4. Enter the 6-digit number into the website and you're in.
>Which basically makes getting into internet banking require exactly as
>much info as you need to use an ATM or make payments with the card. And
>I've never heard anyone complain that it's too complicated. They
>actually feel it's pretty secure. It certainly feels like it, I wonder
>about the algorithm used but they don't tell you that, I'm sure.
>Duplicating the card by copying the stripe won't work since the stripe
>is ignored and I think those smart card chips are pretty tamper proof.
>Seems like practical real-world challenge-response authentication.
>Ofcourse, in Australia there's not a smart card in sight, so you'd have
>give some kind of swipe thingy, which would seem to be quite a bit
>bulkier and more prone to dropping than these things. I havn't worked
>out where the power comes from yet, probably a battery.
>Oh yeah, and the banks here make money by using your money for other
>things rather than charge you bank fees. None of this stuff they send
>you for internet banking costs you a cent.
>Have a nice day,

More information about the linux mailing list