On Fri, 2005-12-02 at 11:12 -0800, Blue Boar wrote: > I agree. I'd also like to point out that the "token" has to actually do > the transaction processing for it to still be secure. The PC at that > point is more-or-less just another untrusted pipe. The banking industry > probably should be looking into making $40 USB co-computers with a > 2-line LCD display and accept/decline buttons. Yup. These token have been around since the mid-nineties. My favorite vendor in that respect is Vasco Data Security. I'm not up-to-date with their current product lines, but back then they had a little device that looked like a small calculator (it could actually be used as such too). The user enters the transaction data, say account number -- enter -- destination number -- enter -- amount -- enter, and the token would then display a code which is basically a hash of the values and a unique but changing value to that token (like the value on an RSA SecureID card). The user then enters that hash value into the transaction form and submits it. It was secure (you need the device to calculate the correct hash, and changing any value during transmission voided the hash and thus transaction). But more importantly, it was very easy to use. Any grandmother that can use a calculator to add numbers can use this puppy to conduct secure transactions online. And it was pretty affordable, with unlimited lifespan (no SecureID-rebuy-in-2-years nonsense). Maybe they were ahead of their time back then, or perhaps no one foresaw the need for it. These days, everyone should be familiar with the terms "identify theft" and "bankruptcy", so perhaps these devices will -- a decade later -- come into fashion once again. Cheers, Frank PS: I still have one of those calculator tokens (demo model) and it still runs! :) -- It is said that the Internet is a public utility. As such, it is best compared to a sewer. A big, fat pipe with a bunch of crap sloshing against your ports.
Attachment:
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/