[LINK] Security tokens
Glen Turner
gdt at gdt.id.au
Wed Nov 14 21:54:53 AEDT 2007
On Wed, 14 Nov 2007, Kim Holburn wrote:
> It might be secure and it might not. Banks are not exactly known for
> choosing technologically secure software systems or at least not being agile
> when it comes to new threats. It might be just a show of security to make
> the client feel better.
It's easy to tell.
A secure token will ask you to enter the transaction details and
a PIN number per transaction. Even if the machine is compromised
the worst case if that the transaction is delayed or discarded --
the transaction cannot be spoofed.
You can actually tell if the transaction was applied rather than
discarded if the bank asks you to enter a code after the transaction as
well.
An insecure token will request only a PIN number and will request
it at the start of the session. Unfortunately once you've "authenticated"
the session its assumed all transactions are "authenticated". Of course,
the transaction moving your balence to a Swiss account may well be
spoofed by malicious software on your PC.
I've yet to see a secure banking system token. Doubtless the banks
think they are too inconvenient for people to use.
Cheers, Glen
More information about the Link
mailing list