[LINK] Security tokens

Karl Auer kauer at biplane.com.au
Wed Nov 14 22:39:57 AEDT 2007

On Wed, 2007-11-14 at 21:24 +1030, Glen Turner wrote:
> A secure token will ask you to enter the transaction details and
> a PIN number per transaction.
> [...]
> An insecure token will request only a PIN number and will request
> it at the start of the session.  Unfortunately once you've
> "authenticated" the session its assumed all transactions are
> "authenticated". Of course, the transaction moving your balence to a
> Swiss account may well be spoofed by malicious software on your PC.

Per transaction is way more secure than per session, but per session
with a token is way more secure than a two-factor session, which is what
most banks offer (or offered, I don't know what the situation is now).

Software that is hijacking your computer as you operate it can just as
well fake parts of the transaction as the whole transaction - showing
you account number X while really sending account number Y etc. You
can't really, really know, and entering PINs fore, aft and amidships
won't change that.

Regards K.

Karl Auer (kauer at biplane.com.au)                   +61-2-64957160 (h)
http://www.biplane.com.au/~kauer/                  +61-428-957160 (mob)

More information about the Link mailing list