[LINK] Security tokens

[David Lochrin]

   Many banks are issuing tokens these days.  I have seen two, and both display a 6-digit number which must be entered on another screen after logging in with the usual userid and password.  There's no challenge / response process, and the numbers are claimed to be non-repeating.

   Does the Link Institute know the Principles of Operation?

   Six decimal digits will encode a string of up to 19+ bits (values 0 to 1,048,575).  If each device is designed to deliver a given set of (say) 10,000 numbers for each customer, then surely there is a 1% chance (10,000/1,048,575) that some random number will be valid for any randomly-chosen customer regardless of what mathematical magic is incorporated in the token.

   If malware harvests 10 userid/password values, the chance that a randomly chosen token-number will be valid for at least one is 10% according to my calculation, and for 50 userid/password values the chance that a given random token number will be valid for at least one is 39% (1-0.99**50).

   This is not impressively secure, though certainly better than nothing..  Perhaps entered token numbers are checked to see if they're within a certain range of the last one entered. which would improve matters.  One wonders what the legal issues might be.

David