WebApp Sec mailing list archives

Re: Proposal to anti-phishing

From: exon <exon () home se>
Date: Wed, 19 Jan 2005 10:08:04 +0100

Michael Silk wrote:

Florian said:
It's acceptable neither to customers nor to banks. Thesedays, zero-setup online banking is an absolute must.
Not for corporate customers ...

Not for anyone. In Sweden, where I live, all banks have online banking.One tried to do a zero setup version, but people wouldn't use it becauseit didn't feel secure. The rest of the banks use one of the twofollowing systems;

1/ DigiPass (about the size of a flattened matchbox).

When you log in to your bank, you need to produce your login name(social security number or something auto-assigned) and then the bankwill challenge you with one or multiple series of numbers, which youenter into the digipass to get another series of digits that you enterback to the bank before you're logged in. Once logged in, you stillcan't transfer money just anywhere. You have to set up and sign arecipient account, and you have to sign each set of transfer includingtransfers to any account except those which you have unshared access to.Each digipass is sent by mail to the recipient, accompanied by a notestating that you need to visit a bank office to activate it properly.The digipass activation code is sent in a different envelope one weekafter the digipass box.The digipass box is pin-protected. The pin must be entered for each newsigning, and three bad pins locks it completely, in which case you mustget a new from the bank (about $10). If you break it open, you'll breakthe ROM inside (a da Vinci construction, actually).


2/ Scratchcard

Same as above, really, except that you read all your codes from a smallscratch ticket with a series of numbers. Each ticket contains about 20codes, and when there are only three left a new card is sentautomatically by the bank. This is far less secure, as anyone can usethe card if they steal it from you.

The point with this is that while these solution might seem cumbersome,customers won't actually touch their money online without them. Perhapsthat's just us swedes being security minded, but I believe any bankingcustomer would agree to it if the bank simply explained that it's neededso noone can rob the customer blind.


Cheers

/exon

Current thread:

Re: Proposal to anti-phishing, (continued)
- - - Re: Proposal to anti-phishing Kurt Seifried (Jan 24)
    - Re: Proposal to anti-phishing Rogan Dawes (Jan 27)
    - Re: Proposal to anti-phishing Moksha Faced (Jan 27)
    - Re: Proposal to anti-phishing Jimi Thompson (Jan 23)
    - RE: Proposal to anti-phishing Lyal Collins (Jan 24)
    - Re: Proposal to anti-phishing Robert Hajime Lanning (Jan 24)
  - Re: Proposal to anti-phishing Frank Knobbe (Jan 19)
    - Re: Proposal to anti-phishing Florian Weimer (Jan 19)
- RE: Proposal to anti-phishing ACMurray (Jan 15)
- RE: Proposal to anti-phishing Michael Silk (Jan 19)
  - Re: Proposal to anti-phishing exon (Jan 23)
- RE: Proposal to anti-phishing Michael Silk (Jan 23)
  - Re: Proposal to anti-phishing Rogan Dawes (Jan 23)
    - Re: Proposal to anti-phishing Michael Silk (Jan 23)
    - Re: Proposal to anti-phishing Rogan Dawes (Jan 23)
    - Re: Proposal to anti-phishing Michael Silk (Jan 23)
    - Re: Proposal to anti-phishing Rogan Dawes (Jan 23)
- RE: Proposal to anti-phishing Michael Silk (Jan 24)
- RE: Proposal to anti-phishing Adler Eliacin (Jan 24)
- Re: Proposal to anti-phishing Michael Silk (Jan 27)
- Re: Proposal to anti-phishing Mike Podanoffsky (Jan 27)

(Thread continues...)