| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon Aug 8 15:38:12 2005 From: bart.lansing at hushmail.com (Bart Lansing) Subject: Defeating Citi-Bank Virtual Keyboard Protection -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sat, 06 Aug 2005 13:40:40 -0700 root <lyal.collins@...2it.com.au> wrote: >Aditya Deshmukh wrote: > >>The only most secure protection is a one time password with a >challenge / >>response scheme. Most of the banks in europe already do this. >> >>They give out a calculator like device to the customers and when >u want to >>login you are presented with a challenge that you punch into you >device >>which spits a response that you enter that into the form.... >> >>Costly for the bank but very effective security for the customer >and bank in >>terms of gain in security and decrease in losses due to fraud >.... >> >> >>- Aditya >> >> >> >> >>__________________________________________________________________ >______ >>Delivered using the Free Personal Edition of Mailtraq >(www.mailtraq.com) >>_______________________________________________ >>Full-Disclosure - We believe in it. >>Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>Hosted and sponsored by Secunia - http://secunia.com/ >> >> >> >> >Respectfully, I disagree. >Although I never attended, this year's IT Underground conference >in >poland promised a hand on session breaking OTP tokens. As >Schneier >says, OT token device merely force a tactical shift by the >attacker, not >a permanent fix. >The credit card industry's 'fixes' have only been effective for >weeks to >months over the past decade, so I don't consider OTPs will make >much >difference relative to the cost in the mid-long term. > >Lyal >_______________________________________________ >Full-Disclosure - We believe in it. >Charter: http://lists.grok.org.uk/full-disclosure-charter.html >Hosted and sponsored by Secunia - http://secunia.com/ There is no permanent security fix...for anything. Every system that exists today will be vulnerable tomorrow, and every measure to secure them that exists today will be thought to be old-school and simplistic in a decade (probably much sooner, I'm allowing wiggle room). Starting from that point, with all due respect to Mr. Schneier as parahphrased by Lyal, OTP tokens/two factor in general, while not perfect, are light years beyond "Hey, type your password into this webform for us, and we'll pull up your bank account." in terms of doing what matters...securing the customer. Today. Not some nebulous tomorrow where we all rest our finger on the passive DNA scanner built into whatever user interface device we are using at the time (and that will no doubt be vulnerable to man in the middle attacks using DNA Dictionaries). The Game is not "Can you make it permanently secure?"...you can't. The Game is "Given the resources we have today (technical, fiscal, human, physical, etc), how secure can we make systems that are at risk and are appropriate to take such measures for?". Planning for tomorrow while offering critiques of today's solutions is great...and it will make tomorrow a better/safer place for our data. But right now we have to make do with what's both available and realistically achievable. OTPs are both. -----BEGIN PGP SIGNATURE----- Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 2.4 wkYEARECAAYFAkL3bkQACgkQfw4CJpLBxONDMwCdFkkukBzPPoGzY2RFv5TXjYNYFGEA oIPFeDwa/Eu/gqyEHh+DF+SUdUU5 =rOmT -----END PGP SIGNATURE----- Concerned about your privacy? Follow this link to get secure FREE email: http://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger http://www.hushmail.com/services-messenger?l=434 Promote security and make money with the Hushmail Affiliate Program: http://www.hushmail.com/about-affiliate?l=427
Powered by blists - more mailing lists