Full Disclosure mailing list archives

Re: Most common keystroke loggers?

From: Frank Knobbe <frank () knobbe us>
Date: Fri, 02 Dec 2005 13:22:04 -0600

On Fri, 2005-12-02 at 11:12 -0800, Blue Boar wrote:

I agree.  I'd also like to point out that the "token" has to actually do 
the transaction processing for it to still be secure.  The PC at that 
point is more-or-less just another untrusted pipe.  The banking industry 
probably should be looking into making $40 USB co-computers with a 
2-line LCD display and accept/decline buttons.


Yup. These token have been around since the mid-nineties. My favorite
vendor in that respect is Vasco Data Security. I'm not up-to-date with
their current product lines, but back then they had a little device that
looked like a small calculator (it could actually be used as such too).
The user enters the transaction data, say account number -- enter --
destination number -- enter -- amount -- enter, and the token would then
display a code which is basically a hash of the values and a unique but
changing value to that token (like the value on an RSA SecureID card).
The user then enters that hash value into the transaction form and
submits it.

It was secure (you need the device to calculate the correct hash, and
changing any value during transmission voided the hash and thus
transaction). But more importantly, it was very easy to use. Any
grandmother that can use a calculator to add numbers can use this puppy
to conduct secure transactions online. And it was pretty affordable,
with unlimited lifespan (no SecureID-rebuy-in-2-years nonsense).

Maybe they were ahead of their time back then, or perhaps no one foresaw
the need for it. These days, everyone should be familiar with the terms
"identify theft" and "bankruptcy", so perhaps these devices will -- a
decade later -- come into fashion once again.

Cheers,
Frank

PS: I still have one of those calculator tokens (demo model) and it
still runs! :)

-- 
It is said that the Internet is a public utility. As such, it is best
compared to a sewer. A big, fat pipe with a bunch of crap sloshing
against your ports.

Attachment: signature.asc
Description: This is a digitally signed message part

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

RE: Most common keystroke loggers?, (continued)
- - - RE: Most common keystroke loggers? Jeroen van Meeuwen (Dec 02)
  - re: Most common keystroke loggers? Nick FitzGerald (Dec 01)
  - re: Most common keystroke loggers? Frank Knobbe (Dec 02)
    - RE: Most common keystroke loggers? Debasis Mohanty (Dec 02)
    - Re: Most common keystroke loggers? Michael Holstein (Dec 02)
    - Re: Most common keystroke loggers? ascii (Dec 02)
    - Re: Most common keystroke loggers? Rodrigo Barbosa (Dec 02)
    - Re: Most common keystroke loggers? Blue Boar (Dec 02)
    - Re: Most common keystroke loggers? Frank Knobbe (Dec 02)
    - Re: Most common keystroke loggers? Blue Boar (Dec 02)
    - Re: Most common keystroke loggers? Frank Knobbe (Dec 02)
- RE: Most common keystroke loggers? Lyal Collins (Dec 01)
- RE: Most common keystroke loggers? Michael L. Benjamin (Dec 02)
- Re: Most common keystroke loggers? Shannon Johnston (Dec 02)
  - RE: Most common keystroke loggers? Debasis Mohanty (Dec 02)
    - RE: Most common keystroke loggers? Debasis Mohanty (Dec 02)
    - RE: Most common keystroke loggers? Debasis Mohanty (Dec 02)
  - Re: Most common keystroke loggers? gboyce (Dec 02)
    - Re: Most common keystroke loggers? Nick FitzGerald (Dec 02)
- RE: Most common keystroke loggers? Renshaw, Rick (C.) (Dec 05)
- RE: Most common keystroke loggers? John Smith (Dec 06)

(Thread continues...)