[LINK] Security tokens

Kim Holburn kim.holburn at gmail.com
Wed Nov 14 22:44:42 AEDT 2007

On 2007/Nov/14, at 11:54 AM, Glen Turner wrote:

> On Wed, 14 Nov 2007, Kim Holburn wrote:
>> It might be secure and it might not.  Banks are not exactly known  
>> for choosing technologically secure software systems or at least  
>> not being agile when it comes to new threats.  It might be just a  
>> show of security to make the client feel better.
> It's easy to tell.
> A secure token will ask you to enter the transaction details and
> a PIN number per transaction. Even if the machine is compromised
> the worst case if that the transaction is delayed or discarded --
> the transaction cannot be spoofed.

Huh?  The one I have is a little dingus, a fob if you will, - you  
press a button and get a number.  That's it.  You can't enter anything.

> You can actually tell if the transaction was applied rather than
> discarded if the bank asks you to enter a code after the  
> transaction as
> well.
> An insecure token will request only a PIN number and will request
> it at the start of the session.  Unfortunately once you've  
> "authenticated"
> the session its assumed all transactions are "authenticated". Of  
> course,
> the transaction moving your balence to a Swiss account may well be
> spoofed by malicious software on your PC.
> I've yet to see a secure banking system token. Doubtless the banks
> think they are too inconvenient for people to use.
> Cheers, Glen

Kim Holburn
IT Network & Security Consultant
Ph: +39 06 855 4294  M: +39 3494957443
mailto:kim at holburn.net  aim://kimholburn
skype://kholburn - PGP Public Key on request

Democracy imposed from without is the severest form of tyranny.
                           -- Lloyd Biggle, Jr. Analog, Apr 1961

More information about the Link mailing list