Circle Bank plays with two-factor authentication

Richard Stiennon richard at stiennon.com
Fri Sep 29 23:48:56 EDT 2006 

Have you seen the technique used at http://www.griddatasecurity.com 
?  Sounds a lot like your original idea.

Screen shot here:  http://blogs.zdnet.com/threatchaos/?p=374

-Richard Stiennon

At 02:40 PM 9/28/2006, Leichter, Jerry wrote:
>| Circle Bank is using a coordinate matrix to let
>| users pick three letters according to a grid, to be
>| entered together with their username and password.
>|
>| The matrix is sent by email, with the user's account
>| sign on ID in plaintext.
>|
>| Worse, the matrix is pretty useless for the majority of users,
>| with less usability than anything else I saw in a long time.
>| This is what the email says:
>|
>|   The following is your Two Factor code for Online Banking for
>|   username (sign on ID changed here for privacy reasons).  You will be
>|   required to enter the grid values associated with the three
>|   Two Factor boxes presented with each sign-on to Online Banking.
>|   Please save and store this Matrix in a safe yet accessible place.
>|   The required entries will be different each time you sign-on.
>|
>|
>|                 Two Factor Matrix
>|
>|     A    B    C    D    E    F    G    H
>|     _    _    _    _    _    _    _    _
>|
>| 1    0    8    4    2    1    1    7    5
>|
>| 2    7    4    9    9    2    4    2    0
>|
>| 3    3    6    0    6    9    9    0    6
>|
>| 4    6    4    5    1    4    6    8    4
>|
>| 5    1    7    6    8    6    5    9    2
>| ...
>Wow.  A variation of an idea I suggested back in the '70's....  The
>problem then was with telephone calling cards.  As those of us old
>enough will remember, at one time you didn't have a cell phone with you
>at all times (or at any times).  You had to use these things called pay
>phones.  Long distance calls were expensive, and you had to dump a whole
>bunch of change in to make them work.  Very annoying.  So you got a
>calling card, which often charged to your home phone number.  Calling
>cards had a fixed PIN on them.  "Shoulder surfers" would hang around
>heavily used phones - commuter train stations were a good spot - watch
>as you entered your account number/PIN, memorize it on the spot and then
>sell it.  These could move remarkably quickly - my wife's PIN was stolen
>this way, and in use within seconds after she hung up.  Over the next
>hour or so, until the fraud people picked it up, it was used to make
>several hundred dollars worth of calls from several locations in New
>York.
>
>Anyhow ... my suggestion was that a similar table be printed on the back
>of the card.  (I would have put a multi-digit number at each
>intersection point and only ask for one value.  All told, I'm not sure
>which approach is better - but with good printing technology you can use
>much smaller fonts than when you rely on people printing things out
>themselves.)  I also suggested that the numbers be printed in a color -
>light blue, red against a grey background - that would make it hard to
>photocopy.
>
>No one ever did anything like this with phone cards.  Interesting to see
>the idea re-invented for a different purpose.  (Hmm, if I'd patented it,
>the patent would be running out soon, even assuming I went for the
>renewal.)  Now if only they hadn't done the actual implementation so
>stupidly....
>
>                                                         -- Jerry
>
>
>
>---------------------------------------------------------------------
>The Cryptography Mailing List
>Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

Richard Stiennon
The blog: http://www.threatchaos.com 


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list