[LINK] Security tokens
Kim Holburn
kim.holburn at gmail.com
Wed Nov 14 22:44:42 AEDT 2007
On 2007/Nov/14, at 11:54 AM, Glen Turner wrote:
> On Wed, 14 Nov 2007, Kim Holburn wrote:
>> It might be secure and it might not. Banks are not exactly known
>> for choosing technologically secure software systems or at least
>> not being agile when it comes to new threats. It might be just a
>> show of security to make the client feel better.
>
> It's easy to tell.
>
> A secure token will ask you to enter the transaction details and
> a PIN number per transaction. Even if the machine is compromised
> the worst case if that the transaction is delayed or discarded --
> the transaction cannot be spoofed.
Huh? The one I have is a little dingus, a fob if you will, - you
press a button and get a number. That's it. You can't enter anything.
> You can actually tell if the transaction was applied rather than
> discarded if the bank asks you to enter a code after the
> transaction as
> well.
>
> An insecure token will request only a PIN number and will request
> it at the start of the session. Unfortunately once you've
> "authenticated"
> the session its assumed all transactions are "authenticated". Of
> course,
> the transaction moving your balence to a Swiss account may well be
> spoofed by malicious software on your PC.
>
> I've yet to see a secure banking system token. Doubtless the banks
> think they are too inconvenient for people to use.
>
> Cheers, Glen
--
Kim Holburn
IT Network & Security Consultant
Ph: +39 06 855 4294 M: +39 3494957443
mailto:kim at holburn.net aim://kimholburn
skype://kholburn - PGP Public Key on request
Democracy imposed from without is the severest form of tyranny.
-- Lloyd Biggle, Jr. Analog, Apr 1961
More information about the Link
mailing list