Crypto dongles to secure online transactions

John Levine johnl at
Sun Nov 8 02:07:44 EST 2009

At a meeting a few weeks ago I was talking to a guy from BITS, the
e-commerce part of the Financial Services Roundtable, about the way
that malware infected PCs break all banks' fancy multi-password logins
since no matter how complex the login process, a botted PC can wait
until you login, then send fake transactions during your legitimate
session.  This is apparently a big problem in Europe.

I told him about an approach to use a security dongle that puts the
display and confirmation outside the range of the malware, and
although I thought it was fairly obvious, he'd apparently never heard
it before.  When I said I'd been thinking about it for a while, he
asked if I could write it up so we could discuss it further.

So before I send it off, if people have a moment could you look at it
and tell me if I'm missing something egregiously obvious?  Tnx.

I've made it an entry in my blog at 

Ignore the 2008 date, a temporary fake to keep it from showing up on
the home page and RSS feed.


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list