From: David Nicholls (David.Nicholls at domain ashling.com)
Date: Tue 09 May 2000 - 11:35:36 IST
Hello Noel,
Until recently they did use a calculator sized token generator by RACAL
called WatchWordII.
The system had strong potential to be very secure as without breaking the
encryption system of the watchword token there was no way of breaking the
system.
In use you did the following:
1. Web page prompted you for 6 digit user ID
2. When entered the page gave you a 7 digit challenge code
3. You powered up your Watchword token and entered a 4 digit pin number to
authenticate yourself (Max 3 tries before it stopped working)
4. You then entered the challenge and it countered with a 7 digit response.
5. you enter that on the webpage (SSL secured) and you were in.
Sounds good in theory but in practice it was very very slow.
The backend servers processing the encryption etc in BOI were incredibly
slow and you would very often have to wait 1-2 mins before your page would
update and 4 times out of 5 it would simply fail.
BOI have now phased out the system and are replacing it with a system
requiring
1. 6 digit Usercode
2. 3 digits of a 6 digit pin code (Same pin as Banking 365 (telephone
banking))
3. Some other misc bits of info supplied at signup including:
Eye colour
Favourite type of Music
Favourite type of film
Date of Birth.
By the end of this month all token users will have been moved onto the pin
system and the tokens option removed.
Clearly the system isn't as secure as the old one but then again you can't
do very much with it anyway.
You can only transfer money between your own accounts and pay bills.
The security threat to BOI is not the possibility of stealing money but more
the personal privacy of the user as the main feature of the system is the
ability to look at up to 1 years worth of statement history.
Also the new system is considerably more useable and much faster than the
old one.
Dave.
-----Original Message-----
From: ilug-admin at domain linux.ie [mailto:ilug-admin at domain linux.ie]On Behalf Of Noel
Carroll
Sent: 09 May 2000 10:17
To: 'ILUG list'
Subject: RE: [ILUG] aib 24hour-online
Agreed! I use it myself from home only. I'd not use it at work and I'd
not use it at all were it not that It's not too easy to get to the bank
sometimes. BOI's site is better from what I hear. I know they used to
provide you with a little credit card sized algorithmic number generator and
that formed part of your authentication. AFAICR that was two years ago
anyway but maybe I am just raving!!! Anyone on the list signed up with BOI
online who can confirm this and maybe explain how the system works?
> -----Original Message-----
> From: Fergal Moran [mailto:fergal.moran at domain wasptech.com]
> Sent: Tuesday, May 09, 2000 9:41 AM
> To: 'Paul Jakma'; 'ILUG list'
> Subject: RE: [ILUG] aib 24hour-online
>
>
> > uhmmm... this site is now giving me the occasional "can't connect to
> > database", etc.. type errors. Which is not unusual with these NT ASP
> > sites.
> Uhhmm - I would stay well away from that site. I signed up
> for it about 6
> months ago (it was still asp then( and after using it the
> first time I got
> it cancelled. It is incredibly insecure. An online banking
> site with no
> security other than username/password - the mind boggles.
>
> Fergal Moran
> --
> WASP Technologies
> http://www.wasptech.com
> Wireless Application Solutions Provider
>
>
> --
> Irish Linux Users' Group: ilug at domain linux.ie
> http://www.linux.ie/mailman/listinfo/ilug for
> (un)subscription information.
> List maintainer: listmaster at domain linux.ie
>
-- Irish Linux Users' Group: ilug at domain linux.ie http://www.linux.ie/mailman/listinfo/ilug for (un)subscription information. List maintainer: listmaster at domain linux.ie
This archive was generated by hypermail 2.1.6 : Thu 06 Feb 2003 - 13:06:04 GMT