On 07.05.14 20:34, Brent Wallis wrote:
> On Wed, May 7, 2014 at 7:38 PM, Erik Christiansen
> > That bank cared enough about security to _insist_ on sending a security
> > dongle when a substantial netbank account was opened - they did not
> > wish to accept liability for loss of that amount of funds without the
> > extra security provision.
..
> The dongle was / could have been "keyed" off the private cert of the
> domain...perhaps?
Such dongles merely generate one-time passwords, changing every few
seconds. They are driven by a pseudo-random sequence generator, I figure.
It is trivial to build one into a CMOS chip which runs for years on the
tiny sealed-in battery, yet does not repeat in 100 human lifetimes.
The one weakness, in the event of the account ID and password both being
acquired, is that a lucky crim might randomly guess the token value for
that instant, since that's only 1 in a million.
Erik
--
Pessimist: The glass is half empty.
Optimist: The glass is half full.
Engineer: The glass is twice as big as it needs to be.
- Read on avr-chat ML
Pragmatist: Who cares, so long as there's more in the bottle.
_______________________________________________
luv-main mailing list
[email protected]
http://lists.luv.asn.au/listinfo/luv-main
