Merchants who *really* rely on their web site being secure are those that take instructions for the delivery of value over them. It's a given that they have to work very hard to secure their websites, and it is instructive to watch their efforts.
The cutting edge in making web sites secure is occuring in gold community and presumably the PayPal community (I don't really follow the latter). AFAIK, this has been the case since the late 90's, before that, some of the European banks were doing heavy duty stuff with expensive tokens. e-gold have a sort of graphical number that displays and has to be entered in by hand [1]. This works against bots, but of course, the bot writers have conquered it somehow. e-gold are of course the recurrent victim of the spoofers, and it is not clear why they have not taken serious steps to protect themselves against attacks on their system. eBullion sell an expensive hardware token that I have heard stops attacks cold, but suffers from poor take up because of its cost [2]. Goldmoney relies on client certs, which also seems to be poor in takeup. Probably more to do with the clumsiness of them, due to the early uncertain support in the browser and in the protocol. Also, goldmoney has structured themselves to be an unattractive target for attackers, using governance and marketing techniques, so I expect them to be the last to experience real tests of their security. Another small player called Pecunix allows you to integrate your PGP key into your account, and confirm your nymity using PGP signatures. At least one other player had decided to try smart cards. Now a company called NetPay.TV - I have no idea about them, really - have started a service that sends out a 6 digit pin over the SMS messaging features of the GSM network for the user to type in to the website [4]. It's highly innovative and great security to use a completely different network to communicate with the user and confirm their nymity. On the face of it, it would seem to pretty much knock a hole into the incessant, boring and mind-bogglingly simple attacks against the recommended SSL web site approach. What remains to be seen is if users are prepared to pay 15c each time for the SMS message. In Europe, SMS messaging is the rage, so there won't be much of a problem there, I suspect. What's interesing here is that we are seeing the market for security evolve and bypass the rather broken model that was invented by Netscape back in '94 or so. In the absence of structured, institutional, or mandated approaches, we now have half a dozen distinct approaches to web site application security [4]. As each of the programmes are voluntary, we have a fair and honest market test of the security results [5]. iang [1] here's one if it can be seen: https://www.e-gold.com/acct/gen3.asp?x=3061&y=62744C0EB1324BD58D24CA4389877672 Hopefully that doesn't let you into my account! It's curious, if you change the numbers in the above URL, you get a similar drawing, but it is wrong... [2] All companies are .com, unless otherwise noted. [3] As well as the activity on the gold side, there are the adventures of PayPal with its pairs of tiny payments made to users' conventional bank accounts. [4] Below is their announcement, for the record. [5] I just thought of an attack against NetPay.TV, but I'll keep quiet so as not to enjoy anyone else's fun :-) ============================================================== N E T P A Y. T V N E W S L E T T E R October 3rd, 2003 Sent to NetPay members only, removal instructions at the end of the message ============================================================== 1. SMS entry - Unique Patent pending entry system - World first! ============================================================== http://www.netpay.tv/news.htm What is this new form of entry? Do you own a mobile phone? Can you receive SMS messages? Would you like to have your own personal NetPay security officer contact you when entry to your account is required? Netpay would like to introduce a world first in account security. This new feature is so simple, yet so effective - we believe every member will utilize it. If you answered yes to the above, then your SMS capable mobile is a powerful security device, which will stop any unforced attempts of entry into your Netpay account. No need to purchase expensive security token hardware, no need to be utterly confused on how to use the security device. If you know how to use your mobile, then you know how to totally protect your Netpay account from any possible unlawful entry. This new system sends you an automated 6 digit secure random PIN direct to your phone whenever you try to access your account. Without this PIN, it is impossible to login. The PIN arrives direct to your mobile within seconds! It is as good as having your own personal security officer calling you whenever someone is trying to access your account! SMS AUTHENTICATED SECURITY ENTRY It is simple. This new feature allows each member to set his or her own mobile phone number within his or her account. Now when you go to access your account again, you choose to Login via SMS authentication (It is impossible to access via standard login once you load a mobile phone number within your account). You only need to now remember your 4 digit Trojan bypassing PIN (unique to NetPay) and your Netpay account number (this number is public knowledge). No need to recall your password or any other numbers, as the server instantly links your PIN and account number with your SMS enabled mobile phone and sends you a random - one time, 6 digit PIN (expires after 5 minutes) instantly to your SMS capable phone! Once you receive the random security code, you then enter it into the final entry page online and you now have access to your account. Visit Flash promo here: http://www.netpay.tv/netpay.swf How do I set SMS entry for my account and what does it cost? Very simple. Enter your account and go to the My Info page in the secure members area - ADD your mobile phone by clicking the link which states: Cell phone # for SMS authentication. >From here, you need only ADD an SMS enabled phone and authorize this by entering your NetPay ID number (set when you registered and is more than likely a passport or drivers license number). You now have total SMS protection. Each time you access, a small charge of 15c is removed from your account to cover the fee charged for the SMS secure message. This 15c is the best money spent when it comes to securing your account online. *Remember, you must have your SMS phone enabled and on when you try to access or you will not be able to enter your account. Why is the new Patent pending NetPay SMS entry system simpler than security encryption tokens or calculators? - Nearly everyone can use a GSM enabled mobile phone (no confusion compared to expensive hardware tokens and yet our online entry system is just as secure) - SMS messages can be received in any country using GSM (please check our list of countries before registering your mobile as your phone may not be compatible). - It is totally portable. You can access your account from any PC, anywhere SMS messages can be sent and as long as you have your mobile switched on. Even if the PC was infected with a virus, you can still enjoy secure access! - No need to purchase expensive and confusing hardware - just simply read your text SMS message via your mobile and you can access your account in total security. Total account protection for only 15c per authorized entry. - You dont need to send any messages back for verification, simply enter the 6 digits PIN you receive on the online automated form. - SSL security ensures the PIN is totally encrypted, random, and only able to be used once only. What makes this more secure than standard entry systems? -Even if the user was using a PC with a virus or Trojan keyboard logger, it would not be possible for the hacker to obtain the 6 digit PIN being sent to your mobile - as it is a one time, expiring PIN and is sent totally offline. Even if it records the PIN when you enter it - it is useless, as it can only be used once. This ensures at all times, even when one is using someone elses PC, they are secure. The only details the Trojan will pick up is the users account number, which is common public knowledge (as the 4 digit Netpay PIN number is entered not via the keyboard but using our Patented keyless entry - which bypasses standard Trojans). - 6 digit SMS PIN sent is a one time only useable PIN, totally random and is valid for a maximum of only 5 minutes. This ensures even if someone else reads the SMS and tries to access, the time limit would have expired after the 5-minute period. - SMS messages travel on a secure signaling network - any possible interception of the PIN would take considerable effort and time, thus the 5 minute limited life of the random PIN ensure full security - Even if someone were to steal your mobile, they would not know how to access your NetPay account as they would need to know both your account number and 4 digit security PIN. ENJOY THIS PATENTED FORM OF ENTRY NOW - ACCESS YOUR ACCOUNT AND ADD A SMS MOBILE NUMBER TODAY (COSTS ONLY 15c PER AUTHORIZED ENTRY). http://www.netpay.tv --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]