[LINK] Security tokens
dlochrin at d2.net.au
Thu Nov 15 11:26:45 AEDT 2007
On Thursday 15 November 2007 07:57, Roger Clarke wrote:
> [Embarrassed that I didn't know as much about this as I should, I
> flicked David's RFI on to Steve Wilson. Steve's a security
> consultant and sometime linker. I found his answer even more useful
> than Steve Jenkin's pretty good one.]
Thanks Roger and Steve; that was very interesting.
One bank, to take an example, only requests a token password when a user first establishes a session so a man-in-the-middle (MIM) attacker could presumably hijack the session after that point and take their time to do what they pleased.
It would be much better to request a token password when committing any "sensitive" (involving transfer of funds) transaction because the password could then be tied to the particular transaction. It would have to be entered at a point in the user dialogue where the server asks for confirmation of a transaction it has already set up.
Having said that, I think all banks would use an SSL connection for the full duration of each browser session and I believe SSL provides good protection against MIM attacks. Even so, use of token passwords when committing sensitive transactions would probably circumvent more sophisticated MIM attacks mediated by malware in a user's computer, if that's possible.
In the past, at least, I know of one share-trading institution which only used SSL during the authentication phase.
More information about the Link