Re: Article on passwords in Wired News

2004-06-07 Thread Peter Fairbrother
Peter Gutmann wrote:

 An article on passwords and password safety, including this neat bit:
 
 For additional security, she then pulls out a card that has 50
 scratch-off codes. Jubran uses the codes, one by one, each time she
 logs on or performs a transaction. Her bank, Nordea PLC, automatically
 sends a new card when she's about to run out.
 
 http://www.wired.com/news/infostructure/0,1377,63670,00.html
 
 One-time passwords (TANs) was another thing I covered in the Why isn't the
 Internet secure yet, dammit! talk I mentioned here a few days ago.  From
 talking to assorted (non-European) banks, I haven't been able to find any that
 are planning to introduce these in the foreseeable future.  I've also been
 unable to get any credible explanation as to why not, as far as I can tell
 it's We're not hurting enough yet.  Maybe it's just a cultural thing,
 certainly among European banks it seems to be a normal part of allowing
 customers online access to banking facilities.

My (European) bank uses memorable information, an alphanumeric string
provided by me, and they ask for three randomly chosen characters when
authenticating online. There is also a fixed password.

Not terribly secure, or terribly one-time, but it would defeat a simple
keylogger or shoulder surfing attack, for instance. It doesn't give me the
warm fuzzies, but it does mean I would use a dodgy terminal at least once if
I was stuck in the badlands (and then change passwords etc.).


-- 
Peter Fairbrother

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Article on passwords in Wired News

2004-06-06 Thread Adam Fields
On Sat, Jun 05, 2004 at 10:06:20AM +0530, Udhay Shankar N wrote:
 Citibank in India experimented with a special case of this a few years ago 
 - online credit cards - basically, a credit card number valid for one use 
 only, which would be ideal for online purchasing.
 
 IIRC, the offering was withdrawn because there weren't enough takers.

American Express still does this, although it's difficult to find and use.

They call it Private Payments.

-- 
- Adam

-
http://www.adamfields.com

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Article on passwords in Wired News

2004-06-04 Thread martin f krafft
also sprach Peter Gutmann [EMAIL PROTECTED] [2004.06.03.1014 +0200]:
 One-time passwords (TANs) was another thing I covered in the Why
 isn't the Internet secure yet, dammit! talk I mentioned here
 a few days ago.  From talking to assorted (non-European) banks,
 I haven't been able to find any that are planning to introduce
 these in the foreseeable future.  I've also been unable to get any
 credible explanation as to why not, as far as I can tell it's
 We're not hurting enough yet.  Maybe it's just a cultural thing,
 certainly among European banks it seems to be a normal part of
 allowing customers online access to banking facilities.

While these are definitely nice, I am not particularly pleased. For
one, they are only what you have, and not anything else.

I love the Swiss system, which is a token card and a reader, locked
with a PIN. You go to the web, get a challenge, run it through the
reader after inserting the card and entering the pin, then it spits
out the response, which you enter, and you're in...

Simple, efficient, secure.

-- 
martin;  (greetings from the heart of the sun.)
  \ echo mailto: !#^.*|tr * mailto:; [EMAIL PROTECTED]
 
invalid/expired pgp subkeys? use subkeys.pgp.net as keyserver!
 
you raise the blade, you make the change
 you rearrange me till i'm sane.
 you lock the door, and throw away the key,
 there's someone in my head but it's not me.
   -- pink floyd, 1972


signature.asc
Description: Digital signature


Re: Article on passwords in Wired News

2004-06-03 Thread Peter Gutmann
An article on passwords and password safety, including this neat bit:

   For additional security, she then pulls out a card that has 50
   scratch-off codes. Jubran uses the codes, one by one, each time she
   logs on or performs a transaction. Her bank, Nordea PLC, automatically
   sends a new card when she's about to run out.

http://www.wired.com/news/infostructure/0,1377,63670,00.html

One-time passwords (TANs) was another thing I covered in the Why isn't the
Internet secure yet, dammit! talk I mentioned here a few days ago.  From
talking to assorted (non-European) banks, I haven't been able to find any that
are planning to introduce these in the foreseeable future.  I've also been
unable to get any credible explanation as to why not, as far as I can tell
it's We're not hurting enough yet.  Maybe it's just a cultural thing,
certainly among European banks it seems to be a normal part of allowing
customers online access to banking facilities.

(If anyone from the outside-Europe banking industry can provide me with an
 explanation for non-use of TANs that goes beyond We're looking into it, I'd
 be interested in hearing from them).

Peter.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Article on passwords in Wired News

2004-06-03 Thread Eugen Leitl
On Thu, Jun 03, 2004 at 08:14:39PM +1200, Peter Gutmann wrote:

 One-time passwords (TANs) was another thing I covered in the Why isn't the
 Internet secure yet, dammit! talk I mentioned here a few days ago.  From
 talking to assorted (non-European) banks, I haven't been able to find any that

Customers hate PINs/TANs (have to carry then around, PINs typically are not
alphanumeric, and fixed-length, print is low-contrast). Which is why power 
users have a (Windows-only, for some reason couldn't get GNUcash working, 
despite right crypto libraries and proper port punched through firewall) 
HBCI software alternatives. Which are not used widely, alas.

Banks tried to push smart cards, but very half-heartedly (didn't offer free
readers, which could have created critical mass). Now some folks are trying
to use existing smartcard-authenticated mobile phone infrastructure for
online payments, but it has its own problems (Bluetooth/IrDa, security, fax
effect, etc).

-- 
Eugen* Leitl a href=http://leitl.org;leitl/a
__
ICBM: 48.07078, 11.61144http://www.leitl.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE
http://moleculardevices.org http://nanomachines.net


pgpp37oZjAHGy.pgp
Description: PGP signature


Re: Article on passwords in Wired News

2004-06-03 Thread Roy M. Silvernail
Eugen Leitl wrote:
Banks tried to push smart cards, but very half-heartedly (didn't offer free
readers, which could have created critical mass). 
Ther was one of those net-only bank-like operations in the last days 
of the bubble that did offer free smart-card readers.  That's what 
prompted me to sign up.  Of course, the bubble burst and I never did get 
my free reader.
--
Roy M. Silvernail is [EMAIL PROTECTED], and you're not
Never Forget:  It's Only 1's and 0's!
SpamAssassin-procmail-/dev/null-bliss
http://www.rant-central.com

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Article on passwords in Wired News

2004-06-02 Thread Perry E. Metzger

An article on passwords and password safety, including this neat bit:

   For additional security, she then pulls out a card that has 50
   scratch-off codes. Jubran uses the codes, one by one, each time she
   logs on or performs a transaction. Her bank, Nordea PLC, automatically
   sends a new card when she's about to run out.

http://www.wired.com/news/infostructure/0,1377,63670,00.html

-- 
Perry E. Metzger[EMAIL PROTECTED]

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Article on passwords in Wired News

2004-06-02 Thread Perry E. Metzger

FYI, /. has posted a story on this, but, true to form, they confuse
one time passwords with one time pads.

Perry

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]