Mungkin gw phrased it dengan jelek... Gw gak maksud nge-ditch otp. Maksud gw, sms authentication sebenernya gak as vulnerable as it sounds... Cuma gara2 bca pake otp device jadi ada tendency semua nasabah langsung nganggap semua banking mesti pake otp, alternative laen gak secure. Padahal it probably doesnt matter that much.. sms dah diconsider acceptably secure, dan most banks emang cuma pake itu, gak pake sophisticated device macem2. Otp biasanya cuma nongol di business banking.
On Fri, Jul 16, 2010 at 12:13 PM, Adelwin, Adelwin <adelwin.adel...@sc.com>wrote: > > > Jadi gw sih gak terlalu liat manfaatnya otp device yg dipersenjatai > dengan brightest algorithms... Coding cupu dengan random-number + sms ajah > dah reasonably unbreakable buat kebanyakan personal banking, yang buat gw > seems to be solusi yg lebih logical dari sisi development cost maupun > customer's convenience. > > Well… luckily they don’t think so… > > Otherwise.. I’d soon be out of job… > > Hahahhaha > > Namanya juga di bank… > > Innovation is waaayyyy down the list… > > Security is of the utmost importance… > > Mau dobel2… mau redundant… mau most of the times useless… tetep pasti ada… > > Buat mereka rule 80-20 ituh gak ngaruh… > > Die apply 20% of the security that they “could have” placed to serve 80% of > their customer… > > They just don’t work like that… > > Mereka akan coba push sebisa mungkin… at all cost(I’d know)… supaya bisa > sedekat mungkin sama 100%... > > Bagi lu mungkin aahh gak penting lah ginian… > > 90% of the time juga pasti secure lah… > > Lagian sapa mau ambil duit gue… > > Duit gue mah itungan nya receh buat konglomerat gitu… > > Tapi konglomerat juga nabung disono… > > Mereka harus protect duit die… and yours along with it… > > 10% off chance bahwa itu akan “gak” secure… well they just cant live with > that… > > Don’t be so quick to dismiss things… > > Ini kerjaan gue inih… > > Gue cari makan dari sini… > > Banking… > > I would know… > > > > > > > > *Adelwin Handoyo** | Senior Consultant - Wholesale Bank* > *Standard Chartered Bank* > 7, Changi Business Park Cresent, Level 3. Singapore (486028) > > *T* : (65) 659 61395 |* **E* adelwin.adel...@sc.com > > > > > ------------------------------ > > *From:* jug-indonesia@yahoogroups.com [mailto: > jug-indone...@yahoogroups.com] *On Behalf Of *Hendry Luk > *Sent:* Thursday, July 15, 2010 9:11 PM > > *To:* jug-indonesia@yahoogroups.com > *Subject:* Re: [JUG-Indonesia] Teknologi yg mirip ama klikbca kyknya..... > > > > > > - secure-random sih dah bagian standard library di most programming > languages.. > > - dengan predictably random pun, berapa likely sih buat nebak 5 digit > correctly dalam 2 kesempatan? Chancenya dwarfs the risk.. mengingat > kebanyakan personal saving accounts by-default cuma dikasih transfer limit > $3k per hari. > > - Kalopun lu bisa nebak tuh 5 digit dengan 100% accuracy (e.g. sniff sms > packet), u'll find it hampir mustahil buat exploit tuh account tanpa expose > identity lu. IP lu kan ditrack, dan lagian lu bakal transfer tuh duit ke > rekening siapa? > > Makanya biasanya kita kan gak butuh masukin sms code lagi kalo ngirim ke > rekening yang dah pernah kita kirim sebelomnya kalo cuma $1k or less. Jadi > gak ngerepotin tiap mo transaksi mesti masukin token-code lagi kalo toh > rekening tujuannya dah kita kenal (Kalo tuh orang malingin lu, gampang > ketangkep). > > Kalo lu jadi maling sih daripada ngebobol bank account, lebih banyak bigger > fish yg bisa lu tangkep dengan significantly less effort. Credit-card hampir > gak ada security apapun. Semua call-center agents yang lu bacain nomer > credit-card lewat telpon, mereka langsung posses all the required info buat > ambil duit lu (gak ada one-time password). Hampir semua IT staff yg kerja > most online retail shop bisa dengan gampang baca semua credit-card > information di sistem mereka. > Tapi tetep ajah gak gampang buat spend tuh duit. Semua online merchant gak > memungkinan pelanggannya buat beli apapun tanpa somehow expose identitas > pembeli (e.g. delivery address). > > Jadi gw sih gak terlalu liat manfaatnya otp device yg dipersenjatai dengan > brightest algorithms... Coding cupu dengan random-number + sms ajah dah > reasonably unbreakable buat kebanyakan personal banking, yang buat gw seems > to be solusi yg lebih logical dari sisi development cost maupun customer's > convenience. > Gw gak pernah demen (so called) "mobile" banking yg mesti nenteng2 otp > device kemana2. Keybca gw pernah ngaco, dan rek gw jadi dilock pas gw lagi > overseas, dan shockingly, menurut call-centernya, there was *absolutely > nothing* anyone could do about it, not even high-ranking officers mereka! > Unbelievable. Untungnya itu bukan pot duit utama gw, otherwise situasi gw > bakalan dah 100% f'd up, mesti cari jembatan yg kolongnya hanget. > > Dan anyway, yg rugi dari security breach toh bukan customers ato merchants, > melainkan banknya sendiri.. Most banks kan ngasih 100% garansi against > fraud. > > 2010/7/15 Monang Setyawan <mon...@gmail.com> > > > > I don't believe that any thug can write cryptographically secure PRNG. > > > > 2010/7/13 Hendry Luk <hendrym...@gmail.com> > > > > Boleh tau what the problem is? > > 2010/7/14 Monang Setyawan <mon...@gmail.com> > > > > Bank mana yang salah satu developer internet bankingnya adalah "thug" yang > "nulis code buat generate 5 digit random number"? Saya pengin kasih tahu > teman/kerabat saya supaya tidak menjadi nasabah bank itu :) > > 2010/7/13 Hendry Luk <hendrym...@gmail.com> > > > > > > Ada teknologi baru... umumnya diapplikasikan pada perangkat telpon > genggam, dipopulerkan 2 dekade silam, dinamai "short-message-service", ato > SMS ;P > > In fact, satu2nya bank yg gw pernah liat pake OTP cuma BCA doank. Bank laen > semuanya plain humble SMS... secure, gak ngerepotin (btw orang2 para nenteng > keybca kemana2 24 jem ya?), dan practical: any thug bisa nulis code buat > generate 5 digit random number n kirim ke sms... gak perlu rocket scientists > buat bikin algorithm super mutakhir that is otp. > > 2010/7/13 Endy Muhardin <endy.muhar...@gmail.com> > > > > 2010/7/13 Fredi Tansari > <rese_amat_...@yahoo.co.uk<rese_amat_sih%40yahoo.co.uk> > > > > > > > > > > > > hiihihi masih jaman ya pake otp gitu.... > > btw gua mau arrange shipment nih utk smart card... ada yang interest gak? > > Trus kalo gak pakai OTP, apa ada teknologi yang lebih baru? > > -- > Endy Muhardin > http://endy.artivisi.com > Y! : endymuhardin > -- life learn contribute -- > > > > > > -- > "Don't worry about what anybody else is going to do. The best way to > predict the future is to invent it." - Alan Kay > > > > > > > -- > "Don't worry about what anybody else is going to do. The best way to > predict the future is to invent it." - Alan Kay > > > > This email and any attachments are confidential and may also be privileged. > If you are not the addressee, do not disclose, copy, circulate or in any > other way use or rely on the information contained in this email or any > attachments. If received in error, notify the sender immediately and delete > this email and any attachments from your system. Emails cannot be guaranteed > to be secure or error free as the message and any attachments could be > intercepted, corrupted, lost, delayed, incomplete or amended. Standard > Chartered PLC and its subsidiaries do not accept liability for damage caused > by this email or any attachments and may monitor email traffic. > > > > Standard Chartered PLC is incorporated in England with limited liability > under company number 966425 and has its registered office at 1 Aldermanbury > Square, London, EC2V 7SB. > > > > Standard Chartered Bank ("SCB") is incorporated in England with limited > liability by Royal Charter 1853, under reference ZC18. The Principal Office > of SCB is situated in England at 1 Aldermanbury Square, London EC2V 7SB. In > the United Kingdom, SCB is authorised and regulated by the Financial Services > Authority under FSA register number 114276. > > > > If you are receiving this email from SCB outside the UK, please click > http://www.standardchartered.com/global/email_disclaimer.html to refer to the > information on other jurisdictions. > > > >
