Circle Bank plays with two-factor authentication
Richard Stiennon
richard at stiennon.com
Fri Sep 29 23:48:56 EDT 2006
Have you seen the technique used at http://www.griddatasecurity.com
? Sounds a lot like your original idea.
Screen shot here: http://blogs.zdnet.com/threatchaos/?p=374
-Richard Stiennon
At 02:40 PM 9/28/2006, Leichter, Jerry wrote:
>| Circle Bank is using a coordinate matrix to let
>| users pick three letters according to a grid, to be
>| entered together with their username and password.
>|
>| The matrix is sent by email, with the user's account
>| sign on ID in plaintext.
>|
>| Worse, the matrix is pretty useless for the majority of users,
>| with less usability than anything else I saw in a long time.
>| This is what the email says:
>|
>| The following is your Two Factor code for Online Banking for
>| username (sign on ID changed here for privacy reasons). You will be
>| required to enter the grid values associated with the three
>| Two Factor boxes presented with each sign-on to Online Banking.
>| Please save and store this Matrix in a safe yet accessible place.
>| The required entries will be different each time you sign-on.
>|
>|
>| Two Factor Matrix
>|
>| A B C D E F G H
>| _ _ _ _ _ _ _ _
>|
>| 1 0 8 4 2 1 1 7 5
>|
>| 2 7 4 9 9 2 4 2 0
>|
>| 3 3 6 0 6 9 9 0 6
>|
>| 4 6 4 5 1 4 6 8 4
>|
>| 5 1 7 6 8 6 5 9 2
>| ...
>Wow. A variation of an idea I suggested back in the '70's.... The
>problem then was with telephone calling cards. As those of us old
>enough will remember, at one time you didn't have a cell phone with you
>at all times (or at any times). You had to use these things called pay
>phones. Long distance calls were expensive, and you had to dump a whole
>bunch of change in to make them work. Very annoying. So you got a
>calling card, which often charged to your home phone number. Calling
>cards had a fixed PIN on them. "Shoulder surfers" would hang around
>heavily used phones - commuter train stations were a good spot - watch
>as you entered your account number/PIN, memorize it on the spot and then
>sell it. These could move remarkably quickly - my wife's PIN was stolen
>this way, and in use within seconds after she hung up. Over the next
>hour or so, until the fraud people picked it up, it was used to make
>several hundred dollars worth of calls from several locations in New
>York.
>
>Anyhow ... my suggestion was that a similar table be printed on the back
>of the card. (I would have put a multi-digit number at each
>intersection point and only ask for one value. All told, I'm not sure
>which approach is better - but with good printing technology you can use
>much smaller fonts than when you rely on people printing things out
>themselves.) I also suggested that the numbers be printed in a color -
>light blue, red against a grey background - that would make it hard to
>photocopy.
>
>No one ever did anything like this with phone cards. Interesting to see
>the idea re-invented for a different purpose. (Hmm, if I'd patented it,
>the patent would be running out soon, even assuming I went for the
>renewal.) Now if only they hadn't done the actual implementation so
>stupidly....
>
> -- Jerry
>
>
>
>---------------------------------------------------------------------
>The Cryptography Mailing List
>Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
Richard Stiennon
The blog: http://www.threatchaos.com
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list