On Sun, Jul 17, 2005 at 01:37:45PM +0200, Ole Tange wrote:
> Earlier in my life I took part in security evaluating the internet
> security of a bank. If most banks have similar security I would be
> very surprised if someone was capable of altering hardware on the
> bank's premises.
>> A notably exception is Jyske Bank, which sends one time passwords to
> the user by mail. The one time passwords are 80 numbers on a piece of
> paper the same size of your credit card. The list is like: 01.ag 1923,
> 02.ry 3658, 03.ir 2873. When you want to do something in the bank you
> are asked for a one time password (eg. 02.ry). When most of your one
> time passwords are used, a new list of one time passwords are sent to
> your physical address.
The big risk server-side these days is man-in-the-middle though, for
which even OTP offers no protection;
http://www.schneier.com/blog/archives/2005/03/the_failure_of.html
:(
> Using this setup it is much harder to do an attack on the client. You
> could do a man-in-the-middle, and do another transaction than the user
> asked for. But you would have to falsify the electronic account statements
> as well.
Why? With a MITM you can just pass right back whatever information the
real server is giving you.
--
Colm MacCárthaigh Public Key: colm+pgp at stdlib.net
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
