The bank fraud blame game
Philipp Gühring
pg at futureware.at
Thu Jul 5 12:01:04 EDT 2007
Hi,
> > The second possiblity has been realized by some european banks now, based
> > on SMS and mobile phones, which sends the important transaction details
> > together with a random authorisation code, that is bound to the
> > transaction in the banks database. The user can then verify the
> > transaciton, and then has to enter the authorisation code on the
> > webinterface.
>
> How large is this code?
5 characters, including numbers and letters. I think you have something like 4
tries to enter a code correctly.
(rough estimation: 5^30 = 931322574615478515625 / 4 = 232830643653869628906 ,
so you have a chance of 1:232830643653869628906 per transaction if you try it
4 times)
> The security of this system would seem to rest on the security of mobile
> phones against cloning. How were mobile phones protected against cloning?
Well, the security depends on an attacker not being able to infect a specific
users´s computer with a MitB and knowing and being able to clone this
specific users´s mobile phone at the same time.
Peter Gutmann wrote:
> The external device emulates a standard USB memory key, to send data to it
> you write a file, to get data back you read a file (think "/dev"). There's
> no device driver to install, and no particularly tricky programming on the
> PC either.
Neat idea!
It only has the problem that I know several companies already where you have
to register your USB-stick, and only registered USB-sticks are allowed on the
network ..., but it´s a neat workaround, yes.
I think SecurityLayer should be easily adaptable to that concept.
Do you already have an demo implementation of that external device, Peter?
Best regards,
Philipp Gühring
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list