Re: Article on passwords in Wired News
Peter Gutmann wrote: An article on passwords and password safety, including this neat bit: For additional security, she then pulls out a card that has 50 scratch-off codes. Jubran uses the codes, one by one, each time she logs on or performs a transaction. Her bank, Nordea PLC, automatically sends a new card when she's about to run out. http://www.wired.com/news/infostructure/0,1377,63670,00.html One-time passwords (TANs) was another thing I covered in the Why isn't the Internet secure yet, dammit! talk I mentioned here a few days ago. From talking to assorted (non-European) banks, I haven't been able to find any that are planning to introduce these in the foreseeable future. I've also been unable to get any credible explanation as to why not, as far as I can tell it's We're not hurting enough yet. Maybe it's just a cultural thing, certainly among European banks it seems to be a normal part of allowing customers online access to banking facilities. My (European) bank uses memorable information, an alphanumeric string provided by me, and they ask for three randomly chosen characters when authenticating online. There is also a fixed password. Not terribly secure, or terribly one-time, but it would defeat a simple keylogger or shoulder surfing attack, for instance. It doesn't give me the warm fuzzies, but it does mean I would use a dodgy terminal at least once if I was stuck in the badlands (and then change passwords etc.). -- Peter Fairbrother - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Article on passwords in Wired News
On Sat, Jun 05, 2004 at 10:06:20AM +0530, Udhay Shankar N wrote: Citibank in India experimented with a special case of this a few years ago - online credit cards - basically, a credit card number valid for one use only, which would be ideal for online purchasing. IIRC, the offering was withdrawn because there weren't enough takers. American Express still does this, although it's difficult to find and use. They call it Private Payments. -- - Adam - http://www.adamfields.com - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Article on passwords in Wired News
also sprach Peter Gutmann [EMAIL PROTECTED] [2004.06.03.1014 +0200]: One-time passwords (TANs) was another thing I covered in the Why isn't the Internet secure yet, dammit! talk I mentioned here a few days ago. From talking to assorted (non-European) banks, I haven't been able to find any that are planning to introduce these in the foreseeable future. I've also been unable to get any credible explanation as to why not, as far as I can tell it's We're not hurting enough yet. Maybe it's just a cultural thing, certainly among European banks it seems to be a normal part of allowing customers online access to banking facilities. While these are definitely nice, I am not particularly pleased. For one, they are only what you have, and not anything else. I love the Swiss system, which is a token card and a reader, locked with a PIN. You go to the web, get a challenge, run it through the reader after inserting the card and entering the pin, then it spits out the response, which you enter, and you're in... Simple, efficient, secure. -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^.*|tr * mailto:; [EMAIL PROTECTED] invalid/expired pgp subkeys? use subkeys.pgp.net as keyserver! you raise the blade, you make the change you rearrange me till i'm sane. you lock the door, and throw away the key, there's someone in my head but it's not me. -- pink floyd, 1972 signature.asc Description: Digital signature
Re: Article on passwords in Wired News
An article on passwords and password safety, including this neat bit: For additional security, she then pulls out a card that has 50 scratch-off codes. Jubran uses the codes, one by one, each time she logs on or performs a transaction. Her bank, Nordea PLC, automatically sends a new card when she's about to run out. http://www.wired.com/news/infostructure/0,1377,63670,00.html One-time passwords (TANs) was another thing I covered in the Why isn't the Internet secure yet, dammit! talk I mentioned here a few days ago. From talking to assorted (non-European) banks, I haven't been able to find any that are planning to introduce these in the foreseeable future. I've also been unable to get any credible explanation as to why not, as far as I can tell it's We're not hurting enough yet. Maybe it's just a cultural thing, certainly among European banks it seems to be a normal part of allowing customers online access to banking facilities. (If anyone from the outside-Europe banking industry can provide me with an explanation for non-use of TANs that goes beyond We're looking into it, I'd be interested in hearing from them). Peter. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Article on passwords in Wired News
On Thu, Jun 03, 2004 at 08:14:39PM +1200, Peter Gutmann wrote: One-time passwords (TANs) was another thing I covered in the Why isn't the Internet secure yet, dammit! talk I mentioned here a few days ago. From talking to assorted (non-European) banks, I haven't been able to find any that Customers hate PINs/TANs (have to carry then around, PINs typically are not alphanumeric, and fixed-length, print is low-contrast). Which is why power users have a (Windows-only, for some reason couldn't get GNUcash working, despite right crypto libraries and proper port punched through firewall) HBCI software alternatives. Which are not used widely, alas. Banks tried to push smart cards, but very half-heartedly (didn't offer free readers, which could have created critical mass). Now some folks are trying to use existing smartcard-authenticated mobile phone infrastructure for online payments, but it has its own problems (Bluetooth/IrDa, security, fax effect, etc). -- Eugen* Leitl a href=http://leitl.org;leitl/a __ ICBM: 48.07078, 11.61144http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE http://moleculardevices.org http://nanomachines.net pgpp37oZjAHGy.pgp Description: PGP signature
Re: Article on passwords in Wired News
Eugen Leitl wrote: Banks tried to push smart cards, but very half-heartedly (didn't offer free readers, which could have created critical mass). Ther was one of those net-only bank-like operations in the last days of the bubble that did offer free smart-card readers. That's what prompted me to sign up. Of course, the bubble burst and I never did get my free reader. -- Roy M. Silvernail is [EMAIL PROTECTED], and you're not Never Forget: It's Only 1's and 0's! SpamAssassin-procmail-/dev/null-bliss http://www.rant-central.com - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Article on passwords in Wired News
An article on passwords and password safety, including this neat bit: For additional security, she then pulls out a card that has 50 scratch-off codes. Jubran uses the codes, one by one, each time she logs on or performs a transaction. Her bank, Nordea PLC, automatically sends a new card when she's about to run out. http://www.wired.com/news/infostructure/0,1377,63670,00.html -- Perry E. Metzger[EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]