The bank fraud blame game
Thor Lancelot Simon
tls at rek.tjls.com
Sun Jul 1 16:59:56 EDT 2007
On Sun, Jul 01, 2007 at 08:38:12AM -0400, Perry E. Metzger wrote:
>
> pgut001 at cs.auckland.ac.nz (Peter Gutmann) writes:
> > (The usage model is that you do the UI portion on the PC, but
> > perform the actual transaction on the external device, which has a
> > two-line LCD display for source and destination of transaction,
> > amount, and purpose of the transaction. All communications enter
> > and leave the device encrypted, with the PC acting only as a proxy.
> > Bill of materials shouldn't be more than about $20).
>
> I've been thinking this was the way to go for years now.
Who hasn't? Oh, I'm sorry -- I meant to say: who, outside of the
set of producers and consumers of security snake oil aimed at
financial institutions, hasn't?
Regular readers will recall the SecurID discussion of about a
year ago, when an individual who appeared to be a paid consultant
to RSA vigorously put forth the notion that secure devices which
required the user to actually do something to authenticate a
transaction were _not_ what was needed -- to the shock and awe
of most readers of, and writers to, the thread here, at least
as I would summarize the discussion.
Thor
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list