[LINK] Security tokens

David Lochrin dlochrin at d2.net.au
Thu Nov 15 11:26:45 AEDT 2007

On Thursday 15 November 2007 07:57, Roger Clarke wrote:
> [Embarrassed that I didn't know as much about this as I should, I
> flicked David's RFI on to Steve Wilson.  Steve's a security
> consultant and sometime linker.  I found his answer even more useful
> than Steve Jenkin's pretty good one.]

   Thanks Roger and Steve; that was very interesting.

   One bank, to take an example, only requests a token password when a user first establishes a session so a man-in-the-middle (MIM) attacker could presumably hijack the session after that point and take their time to do what they pleased.

   It would be much better to request a token password when committing any "sensitive" (involving transfer of funds) transaction because the password could then be tied to the particular transaction.  It would have to be entered at a point in the user dialogue where the server asks for confirmation of a transaction it has already set up.

   Having said that, I think all banks would use an SSL connection for the full duration of each browser session and I believe SSL provides good protection against MIM attacks.  Even so, use of token passwords when committing sensitive transactions would probably circumvent more sophisticated MIM attacks mediated by malware in a user's computer, if that's possible.

   In the past, at least, I know of one share-trading institution which only used SSL during the authentication phase.


More information about the Link mailing list