* Eugen Leitl:

> The German PIN/TAN system is reasonably secure, being an effective
> one-time pad distributed through out of band channel (mailed dead
> tree in a tamperproof envelope).

Some banks have optimized away the special envelope. 8-(

> It is of course not immune to phishing (PIN/TAN harvesting), which
> has become quite rampant recently.

And we face quite advanced attack technology, mainly compromised end
systems.  We are well beyond the point where simple tokens (like RSA
SecureID) would help.

> I do have a HBCI smartcard setup with my private account but don't use it
> since it's locked in a proprietary software jail.

The way the current attacks are carried out, smartcard-based HBCI is
less secure than the PIN/TAN model because with HBCI, you don't need
to authorize each transaction separately.  At this stage, few people
recognize this problem, and German banks put high hopes on
smartcard-based online banking, despite its high costs in terms of
consumer devices and support calls.

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to