| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <1133551324.49544.80.camel@localhost> Date: Fri Dec 2 19:22:13 2005 From: frank at knobbe.us (Frank Knobbe) Subject: Most common keystroke loggers? On Fri, 2005-12-02 at 11:12 -0800, Blue Boar wrote: > I agree. I'd also like to point out that the "token" has to actually do > the transaction processing for it to still be secure. The PC at that > point is more-or-less just another untrusted pipe. The banking industry > probably should be looking into making $40 USB co-computers with a > 2-line LCD display and accept/decline buttons. Yup. These token have been around since the mid-nineties. My favorite vendor in that respect is Vasco Data Security. I'm not up-to-date with their current product lines, but back then they had a little device that looked like a small calculator (it could actually be used as such too). The user enters the transaction data, say account number -- enter -- destination number -- enter -- amount -- enter, and the token would then display a code which is basically a hash of the values and a unique but changing value to that token (like the value on an RSA SecureID card). The user then enters that hash value into the transaction form and submits it. It was secure (you need the device to calculate the correct hash, and changing any value during transmission voided the hash and thus transaction). But more importantly, it was very easy to use. Any grandmother that can use a calculator to add numbers can use this puppy to conduct secure transactions online. And it was pretty affordable, with unlimited lifespan (no SecureID-rebuy-in-2-years nonsense). Maybe they were ahead of their time back then, or perhaps no one foresaw the need for it. These days, everyone should be familiar with the terms "identify theft" and "bankruptcy", so perhaps these devices will -- a decade later -- come into fashion once again. Cheers, Frank PS: I still have one of those calculator tokens (demo model) and it still runs! :) -- It is said that the Internet is a public utility. As such, it is best compared to a sewer. A big, fat pipe with a bunch of crap sloshing against your ports. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: This is a digitally signed message part Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20051202/f63e6a3e/attachment.bin
Powered by blists - more mailing lists