> > Here in Norway I don't know of _any_ "virtual bank" which doesn't _at > > least_ use one-time passwords, or so-called digipasses (the user types his > > PIN on an small, personal calculator-type device which returns a 6 digit > > code to use for authentication in the virtual bank - this code expires > > after 15 min or so). > > I don't see why this is better than a PIN, unless it is a separated >device (with the overhead of the user having to carry this token). In >addition, if I know how the device generates the code from the PIN, this >only represents an extra step in the attack. I was a little quick there. The one-time passwords (numbers) and digipasses won't appear more secure when it comes to the statistical attack. However, they drastically improve the security for the individual user as it prevents or hinder other types of attacks/hacks. Also, each digipass are hardcoded so they generate the key differently. What's more of a problem is the banks tendency to choose too short public/private keys (512/40 is common). -- Regards, Snorre Haugnes HC Security
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:33:57 PDT