On 4/28/09 9:27 AM, Peter Keane wrote: > As an analogy, imagine if banks allowed withdrawals w/o a user typing > a PIN. The bank can guarantee that I am the one who was issued the > card AND it can guarantee that is the same card being used to withdraw > money. And you can do all kinds of things to guard against anyone but > the legitimate card owner to get ahold of it. But unless you take > that extra step (the PIN entered at the ATM) you never create > sufficiant linkages to "verify" authenticity. That's why PIN can be > short& easy to remember (but should NOT be written on the card! ;-)). > Since it is an out-of-band arrangement, it offers a high level of > assurance.
Although, the banks have known for a long time that their implementation is without security. Hackers today are compromising the MDS crypto blocks and are stealing PINs en masse. Basically, the banks implemented a system that assumed that the secret would remain secret and could never be compromised, similar to OAuth's dependency on the secrets remaining secret. The banks are due for a huge overhaul of their ATM transaction platform or continue to lose serious money to the hackers. Fortunately, no one implementing OAuth has anything so valuable, yet. However, OAuth's inherent similar flaw will likely mean that no service that does have anything valuable will expose those resources using OAuth. It's a very sad, built-in limiting factor for something with such potential. -- Dossy Shiobara | [email protected] | http://dossy.org/ Panoptic Computer Network | http://panoptic.com/ "He realized the fastest way to change is to laugh at your own folly -- then you can let go and quickly move on." (p. 70) --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
