[LINK] Security tokens
Karl Auer
kauer at biplane.com.au
Wed Nov 14 22:39:57 AEDT 2007
On Wed, 2007-11-14 at 21:24 +1030, Glen Turner wrote:
> A secure token will ask you to enter the transaction details and
> a PIN number per transaction.
> [...]
> An insecure token will request only a PIN number and will request
> it at the start of the session. Unfortunately once you've
> "authenticated" the session its assumed all transactions are
> "authenticated". Of course, the transaction moving your balence to a
> Swiss account may well be spoofed by malicious software on your PC.
Per transaction is way more secure than per session, but per session
with a token is way more secure than a two-factor session, which is what
most banks offer (or offered, I don't know what the situation is now).
Software that is hijacking your computer as you operate it can just as
well fake parts of the transaction as the whole transaction - showing
you account number X while really sending account number Y etc. You
can't really, really know, and entering PINs fore, aft and amidships
won't change that.
Regards K.
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Karl Auer (kauer at biplane.com.au) +61-2-64957160 (h)
http://www.biplane.com.au/~kauer/ +61-428-957160 (mob)
More information about the Link
mailing list