[LINK] Security tokens
dlochrin at d2.net.au
Wed Nov 14 18:53:25 EST 2007
Many banks are issuing tokens these days. I have seen two, and both display a 6-digit number which must be entered on another screen after logging in with the usual userid and password. There's no challenge / response process, and the numbers are claimed to be non-repeating.
Does the Link Institute know the Principles of Operation?
Six decimal digits will encode a string of up to 19+ bits (values 0 to 1,048,575). If each device is designed to deliver a given set of (say) 10,000 numbers for each customer, then surely there is a 1% chance (10,000/1,048,575) that some random number will be valid for any randomly-chosen customer regardless of what mathematical magic is incorporated in the token.
If malware harvests 10 userid/password values, the chance that a randomly chosen token-number will be valid for at least one is 10% according to my calculation, and for 50 userid/password values the chance that a given random token number will be valid for at least one is 39% (1-0.99**50).
This is not impressively secure, though certainly better than nothing.. Perhaps entered token numbers are checked to see if they're within a certain range of the last one entered. which would improve matters. One wonders what the legal issues might be.
More information about the Link