Re: [Full-disclosure] Defeating Citi-Bank Virtual Keyboard Protection

From: root (lyal.collins_at_key2it.com.au)
Date: 08/06/05

  • Next message: Seth Brundle: "Re[2]: [Full-disclosure] Weird URL" 
    Date: Sat, 06 Aug 2005 16:40:40 -0400
To: adityad2005@users.sourceforge.net

    Aditya Deshmukh wrote:

    >The only most secure protection is a one time password with a challenge /
    >response scheme. Most of the banks in europe already do this.
    >
    >They give out a calculator like device to the customers and when u want to
    >login you are presented with a challenge that you punch into you device
    >which spits a response that you enter that into the form....
    >
    >Costly for the bank but very effective security for the customer and bank in
    >terms of gain in security and decrease in losses due to fraud ....
    >
    >
    >- Aditya
    >
    >
    >
    >
    >________________________________________________________________________
    >Delivered using the Free Personal Edition of Mailtraq (www.mailtraq.com)
    >_______________________________________________
    >Full-Disclosure - We believe in it.
    >Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    >Hosted and sponsored by Secunia - http://secunia.com/
    >
    >
    >
    >
    Respectfully, I disagree.
    Although I never attended, this year's IT Underground conference in
    poland promised a hand on session breaking OTP tokens. As Schneier
    says, OT token device merely force a tactical shift by the attacker, not
    a permanent fix.
    The credit card industry's 'fixes' have only been effective for weeks to
    months over the past decade, so I don't consider OTPs will make much
    difference relative to the cost in the mid-long term.

    Lyal
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    Hosted and sponsored by Secunia - http://secunia.com/

  • Next message: Seth Brundle: "Re[2]: [Full-disclosure] Weird URL"

    Relevant Pages

    • RE: [Full-disclosure] Defeating Citi-Bank Virtual Keyboard Protection
      ... response scheme. ... They give out a calculator like device to the customers and when u want to ... Costly for the bank but very effective security for the customer and bank in ...
      (Full-Disclosure)
    • La merde de newportman
      ... IT WAS ONLY £233,000, and it was only about 20 British customers who ... Bangalore call centre had fiddled accounts and helped himself to ... the bank says they caught the crooked employee before he had ... Accountants Finance Terrorism - and Why Governments Can't Stop Them ...
      (rec.travel.europe)
    • You can trust Barclays Bank
      ... my bank trainer told a classroom full of call ... Barclays call centre in Doxford, ... I've seen customers misled, lied to and treated with contempt. ... customer's account to another, without permission, purely so he could ...
      (uk.politics.misc)
    • Citigroup Lauches Internet Banking Site
      ... Customers, however, must open linked checking accounts to get ... The largest U.S. bank is hoping to better compete with ING Group NV's ... higher-yielding online accounts amid growing competition industrywide ... HSBC Direct offers a 4.8 percent yield on some savings accounts, ...
      (comp.dcom.telecom)
    • Re: No wonder fraud is on the increase
      ... Even the overview at the beginning makes this clear "Banks must prove the authenticity of their customers' handwritten instructions if challenged, but for telephone and online banking some banks are adopting terms which could make customers liable for transactions they have not authorised. ... The OP stated that a friend had been the victim of a "bank fraud" when credit card details were misused and goods were obtained by someone else. ... The fraud is actually committed upon the retailer, who is the one induced by a deception to despatch goods to someone else. ... Neither the bank nor the credit card holder have parted with any property, so nothing has been "obtained" from them and therefore no offence is committed against them by the original perpetrator. ...
      (uk.finance)