Re: [Full-disclosure] Defeating Citi-Bank Virtual Keyboard Protection

• Previous message: Rajeev Kapoor: "[Full-disclosure] ecc keys support in IE"
• Maybe in reply to: Debasis Mohanty: "[Full-disclosure] Defeating Citi-Bank Virtual Keyboard Protection"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon,  8 Aug 2005 07:37:57 -0700
To: <adityad2005@users.sourceforge.net>, <lyal.collins@key2it.com.au>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Sat, 06 Aug 2005 13:40:40 -0700 root
<lyal.collins@key2it.com.au> wrote:
>Aditya Deshmukh wrote:
>
>>The only most secure protection is a one time password with a
>challenge /
>>response scheme. Most of the banks in europe already do this.
>>
>>They give out a calculator like device to the customers and when
>u want to
>>login you are presented with a challenge that you punch into you
>device
>>which spits a response that you enter that into the form....
>>
>>Costly for the bank but very effective security for the customer
>and bank in
>>terms of gain in security and decrease in losses due to fraud
>....
>>
>>
>>- Aditya
>>
>>
>>
>>
>>__________________________________________________________________

>______
>>Delivered using the Free Personal Edition of Mailtraq
>(www.mailtraq.com)
>>_______________________________________________
>>Full-Disclosure - We believe in it.
>>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>Hosted and sponsored by Secunia - http://secunia.com/
>>
>>
>>
>>
>Respectfully, I disagree.
>Although I never attended, this year's IT Underground conference
>in
>poland promised a hand on session breaking OTP tokens. As
>Schneier
>says, OT token device merely force a tactical shift by the
>attacker, not
>a permanent fix.
>The credit card industry's 'fixes' have only been effective for
>weeks to
>months over the past decade, so I don't consider OTPs will make
>much
>difference relative to the cost in the mid-long term.
>
>Lyal
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/

There is no permanent security fix...for anything. Every system
that exists today will be vulnerable tomorrow, and every measure to
secure them that exists today will be thought to be old-school and
simplistic in a decade (probably much sooner, I'm allowing wiggle
room).

Starting from that point, with all due respect to Mr. Schneier as
parahphrased by Lyal, OTP tokens/two factor in general, while not
perfect, are light years beyond "Hey, type your password into this
webform for us, and we'll pull up your bank account." in terms of
doing what matters...securing the customer. Today. Not some
nebulous tomorrow where we all rest our finger on the passive DNA
scanner built into whatever user interface device we are using at
the time (and that will no doubt be vulnerable to man in the middle
attacks using DNA Dictionaries).

The Game is not "Can you make it permanently secure?"...you can't.
The Game is "Given the resources we have today (technical, fiscal,
human, physical, etc), how secure can we make systems that are at
risk and are appropriate to take such measures for?". Planning for
tomorrow while offering critiques of today's solutions is
great...and it will make tomorrow a better/safer place for our
data. But right now we have to make do with what's both available
and realistically achievable. OTPs are both.

-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.4

wkYEARECAAYFAkL3bkQACgkQfw4CJpLBxONDMwCdFkkukBzPPoGzY2RFv5TXjYNYFGEA
oIPFeDwa/Eu/gqyEHh+DF+SUdUU5
=rOmT
-----END PGP SIGNATURE-----

Concerned about your privacy? Follow this link to get
secure FREE email: http://www.hushmail.com/?l=2

Free, ultra-private instant messaging with Hush Messenger
http://www.hushmail.com/services-messenger?l=434

Promote security and make money with the Hushmail Affiliate Program:
http://www.hushmail.com/about-affiliate?l=427

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

• Previous message: Rajeev Kapoor: "[Full-disclosure] ecc keys support in IE"
• Maybe in reply to: Debasis Mohanty: "[Full-disclosure] Defeating Citi-Bank Virtual Keyboard Protection"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Erasing an OTP file on a SD card. ... > SDCard will need to be stoled and analysed in a more difficult way. ... > want security, in this case the best way to deal with this situation ... Don't use a secure phone. ... The device storing the OTP itself ensures that it can be read only once. ... (sci.crypt) Re: Bank of America - On Line Banking *NOT* Secure? ... > Bank of America revised their web site. ... > secure without making the entire page secure. ... > people to use ignore the advice of security experts who all say, ... (sci.crypt) Re: Erasing an OTP file on a SD card. ... why do not allow our clients to have OTP ... > The security have a price, we have clients asking for OTP. ... you can be sure taht the algorithm is provably unbreakable ... Can i prove that it will be reasonably secure under any ... (sci.crypt) Re: Erasing an OTP file on a SD card. ... why do not allow our clients to have OTP ... >> The security have a price, we have clients asking for OTP. ... Can i prove that it will be reasonably secure under any ... (sci.crypt) Re: research into modern computer-based one-time pad implementations? ... > secure electronic message traffic, ... Computers are not particularly appropriate for implementing OTP. ... secure destruction of keying material as soon as it is used. ... your security degrades from "provably unbreakable" to "how good is the ... (sci.crypt)