[Clips] Banks Seek Better Online-Security Tools
Florian Weimer
fw at deneb.enyo.de
Mon Dec 5 13:56:05 EST 2005
* Eugen Leitl:
> The German PIN/TAN system is reasonably secure, being an effective
> one-time pad distributed through out of band channel (mailed dead
> tree in a tamperproof envelope).
Some banks have optimized away the special envelope. 8-(
> It is of course not immune to phishing (PIN/TAN harvesting), which
> has become quite rampant recently.
And we face quite advanced attack technology, mainly compromised end
systems. We are well beyond the point where simple tokens (like RSA
SecureID) would help.
> I do have a HBCI smartcard setup with my private account but don't use it
> since it's locked in a proprietary software jail.
The way the current attacks are carried out, smartcard-based HBCI is
less secure than the PIN/TAN model because with HBCI, you don't need
to authorize each transaction separately. At this stage, few people
recognize this problem, and German banks put high hopes on
smartcard-based online banking, despite its high costs in terms of
consumer devices and support calls.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list