Crypto dongles to secure online transactions
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Fri Nov 20 02:13:52 EST 2009
John Levine <johnl at iecc.com> writes:
>I told him about an approach to use a security dongle that puts the display
>and confirmation outside the range of the malware, and although I thought it
>was fairly obvious, he'd apparently never heard it before.
Some general thoughts on this, there have been attempts going back at least
ten years to bring devices like this to market (for example I have a nice
device that does exactly this built in the late 90s sitting in a drawer
somewhere), but they always die for the same reason, lack of interest and, for
the few who are interested, lack of interest in paying the cost.
>I've made it an entry in my blog at
>
>http://weblog.johnlevine.com/Money/securetrans.html
>
>[...]
>
>I don't understand why banks aren't using this approach already.
Because (apart from the reasons given above) with business use specifically
you run into insurmountable PC <-> device communications problems. Many
companies who handle large financial transactions are also ones who, due to
concern over legal liability, block all access to USB ports to prevent
external data from finding its way onto their corporate networks (they are
really, *really* concerned about this). If you wanted this to work, you'd
need to build a device with a small CMOS video sensor to read data from the
browser via QR codes and return little more than a 4-6 digit code that the
user can type in (a MAC of the transaction details or something). It's
feasible, but not quite what you were thinking of.
Peter.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list