Jim Murray([EMAIL PROTECTED])@Thu, Jun 28, 2007 at 09:57:51AM +0100: > Dennis Henderson wrote: > > When will the customer have to have at least some responsibility for > > their action/inactions? > > > > I guess the person who invents the perfectly secure internet > > transaction will be the richest person on the planet. Imagine being > > able to conduct a secure pc based internet transaction with every kind > > of trojan and keylogger installed.... > > Very simple, though I can't (unfortunately!) take credit for inventing it. > > Issue the customer with a numbered list of one-time passwords. > For each transaction, have the bank computer require the use of one of > those passwords, chosen at random. > > That way, no matter what trojans, sniifers or other garbage are on the > PC the most they can capture is the password for one single transaction > which instantly becomes useless for any future transactions.
Ok, so you type in your OTP. I MITM it and (while you're waiting for your login) log into your bank. Transfer some money to my anonymized swiss account from yours quickly, then log back out. Throw a "whups, password failed" screen at you and let you log in again without my MITM. How many users won't fall for that? -- Bill Weiss _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
