Full Disclosure mailing list archives
Re: Defeating Citi-Bank Virtual Keyboard Protection
From: "Bart Lansing" <bart.lansing () hushmail com>
Date: Mon, 8 Aug 2005 07:37:57 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sat, 06 Aug 2005 13:40:40 -0700 root <lyal.collins () key2it com au> wrote:
Aditya Deshmukh wrote:The only most secure protection is a one time password with achallenge /response scheme. Most of the banks in europe already do this. They give out a calculator like device to the customers and whenu want tologin you are presented with a challenge that you punch into youdevicewhich spits a response that you enter that into the form.... Costly for the bank but very effective security for the customerand bank interms of gain in security and decrease in losses due to fraud....- Aditya __________________________________________________________________
______Delivered using the Free Personal Edition of Mailtraq(www.mailtraq.com)_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/Respectfully, I disagree. Although I never attended, this year's IT Underground conference in poland promised a hand on session breaking OTP tokens. As Schneier says, OT token device merely force a tactical shift by the attacker, not a permanent fix. The credit card industry's 'fixes' have only been effective for weeks to months over the past decade, so I don't consider OTPs will make much difference relative to the cost in the mid-long term. Lyal _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
There is no permanent security fix...for anything. Every system that exists today will be vulnerable tomorrow, and every measure to secure them that exists today will be thought to be old-school and simplistic in a decade (probably much sooner, I'm allowing wiggle room). Starting from that point, with all due respect to Mr. Schneier as parahphrased by Lyal, OTP tokens/two factor in general, while not perfect, are light years beyond "Hey, type your password into this webform for us, and we'll pull up your bank account." in terms of doing what matters...securing the customer. Today. Not some nebulous tomorrow where we all rest our finger on the passive DNA scanner built into whatever user interface device we are using at the time (and that will no doubt be vulnerable to man in the middle attacks using DNA Dictionaries). The Game is not "Can you make it permanently secure?"...you can't. The Game is "Given the resources we have today (technical, fiscal, human, physical, etc), how secure can we make systems that are at risk and are appropriate to take such measures for?". Planning for tomorrow while offering critiques of today's solutions is great...and it will make tomorrow a better/safer place for our data. But right now we have to make do with what's both available and realistically achievable. OTPs are both. -----BEGIN PGP SIGNATURE----- Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 2.4 wkYEARECAAYFAkL3bkQACgkQfw4CJpLBxONDMwCdFkkukBzPPoGzY2RFv5TXjYNYFGEA oIPFeDwa/Eu/gqyEHh+DF+SUdUU5 =rOmT -----END PGP SIGNATURE----- Concerned about your privacy? Follow this link to get secure FREE email: http://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger http://www.hushmail.com/services-messenger?l=434 Promote security and make money with the Hushmail Affiliate Program: http://www.hushmail.com/about-affiliate?l=427 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- RE: Defeating Citi-Bank Virtual Keyboard Protection, (continued)
- RE: Defeating Citi-Bank Virtual Keyboard Protection Aditya Deshmukh (Aug 05)
- RE: Defeating Citi-Bank Virtual Keyboard Protection fractalg (Aug 05)
- Re: Defeating Citi-Bank Virtual Keyboard Protection Peter Ferrie (Aug 05)
- Re: Defeating Citi-Bank Virtual Keyboard Protection root (Aug 05)
- RE: Defeating Citi-Bank Virtual Keyboard Protection Debasis Mohanty (Aug 05)
- Re: Defeating Citi-Bank Virtual Keyboard Protection root (Aug 05)
- RE: Defeating Citi-Bank Virtual Keyboard Protection Michal Zalewski (Aug 05)
- RE: Defeating Citi-Bank Virtual Keyboard Protection Debasis Mohanty (Aug 05)
- RE: Defeating Citi-Bank Virtual Keyboard Protection Aditya Deshmukh (Aug 05)
- Re: Defeating Citi-Bank Virtual Keyboard Protection root (Aug 05)
- RE: Defeating Citi-Bank Virtual Keyboard Protection Debasis Mohanty (Aug 05)
- RE: Defeating Citi-Bank Virtual Keyboard Protection Nicob (Aug 08)
- Re: Defeating Citi-Bank Virtual Keyboard Protection Bart Lansing (Aug 08)