[Gllug] Any UK banks using one time passwords / secure ID tokens ?
Daniel P. Berrange
dan at berrange.com
Wed Oct 12 21:53:50 UTC 2005
On Sun, Oct 02, 2005 at 03:36:06PM +0200, Martin A. Brooks wrote:
> Daniel P. Berrange wrote:
> >passwords and/or one time keys from a secure ID generator token. I hear
> >such measures are common practice in countries such as Sweeden, but thats
> >not much use for me. So, my question, does anyone know of any UK banks
> >which are providing this kind of level of serious security ?
>
> Norway does this too. You are issued with an "access code" which you
> can then set to whatever you like. You are also given a credit
> card-sized piece of paper with 100 one-time codes written on it. You
> use the codes sequentially.
Hmm, although useful against spyware, looks like one can scratch one-time
passwords from the list of security measures to fight against phishing
http://www.theregister.co.uk/2005/10/12/outlaw_phishing/
"Recipients were directed to several fake websites, .... Regardless of
what you entered, the site would complain about the scratch code and
asked you to try the next one. In reality the bad boys were trying to
collect several scratch codes for their own use."
Obvious man-in-the-middle attack really when you think about it. Would
need a challenge-response to scheme to prevent this i guess.
Dan.
--
|=- GPG key: http://www.berrange.com/~dan/gpgkey.txt -=|
|=- Perl modules: http://search.cpan.org/~danberr/ -=|
|=- Projects: http://freshmeat.net/~danielpb/ -=|
|=- berrange at redhat.com - Daniel Berrange - dan at berrange.com -=|
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 196 bytes
Desc: Digital signature
URL: <http://mailman.lug.org.uk/pipermail/gllug/attachments/20051012/6b5e84db/attachment.pgp>
-------------- next part --------------
--
Gllug mailing list - Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug
More information about the GLLUG
mailing list