Article on passwords in Wired News

Ernst Lippe ernstl at planet.nl
Sat Jun 5 04:19:44 EDT 2004 

On Friday 04 June 2004 02:24, martin f krafft wrote:
> also sprach Peter Gutmann <pgut001 at cs.auckland.ac.nz> [2004.06.03.1014 
+0200]:
> > One-time passwords (TANs) was another thing I covered in the "Why
> > isn't the Internet secure yet, dammit!" talk I mentioned here
> > a few days ago.  From talking to assorted (non-European) banks,
> > I haven't been able to find any that are planning to introduce
> > these in the foreseeable future.  I've also been unable to get any
> > credible explanation as to why not, as far as I can tell it's
> > "We're not hurting enough yet".  Maybe it's just a cultural thing,
> > certainly among European banks it seems to be a normal part of
> > allowing customers online access to banking facilities.
>
> While these are definitely nice, I am not particularly pleased. For
> one, they are only "what you have", and not anything else.
>
> I love the Swiss system, which is a token card and a reader, locked
> with a PIN. You go to the web, get a challenge, run it through the
> reader after inserting the card and entering the pin, then it spits
> out the response, which you enter, and you're in...

What is that card? There are some schemes that use debit cards
with an embedded smartcard. If you are referring to one of these
schemes I don't think that they are more secure than TAN's. If
it is a card that you carry along with you, the risk that it will
be stolen is higher than the risk that some TAN's will be stolen,
because in most cases you are able to store your TAN's in
a safe place in your home. The only apparent advantage of
using a card is the PIN, i.e. "something you know", but all
internet banking application that I have seen require some form
of password which has at least the same security as a PIN.
If it really is a debit card, then the security is probably
even worse. In several debit card schemes the PIN for cash
transactions is the same as the PIN for web transactions (
if the users have the possibility to change either PIN, it
is a safe bet that they will be both the same), and it it not
at all difficult to determine the PIN in this case.

TAN's are probably somewhat more reliable than your card terminal,
that needs batteries and is susceptible to hardware problems
with the card, such as the electrical contacts of the smartcard.
Also TAN's are somewhat more convenient for the user because
they don't have to type the challenge into some device. Most such
devices that I have seen had very small keyboards and displays
that will be troublesome for users with visual or motoric handicaps.

TAN's are susceptible to copying, while smartcards are at first sight
not vulnerable to this threat. Some TAN lists are protected with
a coating that must be scratched off, in this case it will be difficult
to copy the list. Also with smartcards you will have to be very careful
about the card terminals where you use the card. For mag-stripe cards
fake terminals have become really popular in recent years, and there
is no real technical reason why the same cannot be done for smartcards
as well. When you can use the smartcard in a smartcard reader that
is directly connected to a PC, it can also be used remotely
by an attacker.

So overall I don't think that there is a very big difference
in security between TAN's and smartcards, and in certain circumstances
TAN's could actually be safer.

Ernst Lippe


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list