[Gllug] Any UK banks using one time passwords / secure ID tokens ?

Paul Rayner paul at ylemsolutions.com
Tue Oct 18 12:41:08 UTC 2005 

On 12 Oct 2005, at 22:53, Daniel P. Berrange wrote:

>> Daniel P. Berrange wrote:
>>> passwords and/or one time keys from a secure ID generator token. I  
>>> hear
>>> such measures are common practice in countries such as Sweeden, but  
>>> thats
>>> not much use for me. So, my question, does anyone know of any UK  
>>> banks
>>> which are providing this kind of level of serious security ?

Looks like LLoyds TSB are running a trial:

http://www.channelregister.co.uk/2005/10/18/ 
lloyds_tsb_password_generators/

(Two factor authentication using a key fob which displays a unique one  
time number when it's button is pressed)

>
> Hmm, although useful against spyware, looks like one can scratch  
> one-time
> passwords from the list of security measures to fight against phishing
>
>   http://www.theregister.co.uk/2005/10/12/outlaw_phishing/
>
> "Recipients were directed to several fake websites, .... Regardless of
>  what you entered, the site would complain about the scratch code and
>  asked you to try the next one. In reality the bad boys were trying to
>  collect several scratch codes for their own use."
>
> Obvious man-in-the-middle attack really when you think about it. Would
> need a challenge-response to scheme to prevent this i guess.

They might have missed a trick here. If they're issuing electronic  
devices is it that much of a leap to make them challenge response? It's  
hardly difficult to do challenge response with paper - issue a book of  
a few thousand codes, each sequentially numbered, then ask the user  
"Please enter code number 1094".

"Bacon [Lloyds TSB spokesman] indicated that a longer-term security  
solution for online banking could be card readers."

If this means a card reader plugged in to your PC, what's the chances  
of these working with Linux? How likely are the banks to allow open  
source drivers for card readers? Not very I'd guess. Standalone readers  
OTOH, would make good sense (enter this number into your card reader,  
enter your pin into your card reader, then type the number displayed on  
the reader into this box).

Paul

--
Paul Rayner
Ylem Solutions Ltd ~ 32-38 Leman St, London. E1 8EW
Office: 020 7173 6241 ~ Mobile: 07739 143 763 ~  
Paul.Rayner at YlemSolutions.com

-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug

More information about the GLLUG mailing list