[127267] in cryptography@c2.net mail archive
Re: The wisdom of the ill informed
daemon@ATHENA.MIT.EDU (=?UTF-8?Q?Ivan_Krsti=C4=87?=)
Wed Jul 2 08:30:54 2008
Cc: Stephan Neuhaus <neuhaus@st.cs.uni-sb.de>,
Ed Gerck <edgerck@nma.com>,
Cryptography <cryptography@metzdowd.com>
From: =?UTF-8?Q?Ivan_Krsti=C4=87?= <krstic@solarsail.hcs.harvard.edu>
To: Perry E. Metzger <perry@piermont.com>
In-Reply-To: <877ic5imbv.fsf@snark.cb.piermont.com>
Date: Tue, 1 Jul 2008 23:53:11 -0400
On Jul 1, 2008, at 12:46 PM, Perry E. Metzger wrote:
> My experience with European banks is quite limited -- my consulting
> practice is pretty much US centric. My general understanding, however,
> is that they are doing better, not worse, with login security.
As a data point, the largest bank in Croatia used to mail customers =20
pre-printed TAN lists. Some number of years ago, they switched to (non-=20=
SecurID) tokens which require a 4-digit PIN to turn on, and then =20
provide two functions: a login OTP and a challenge/response system for =20=
authorizing individual transactions. Your username is simply the =20
token's serial number, though it's not clear if these are in fact =20
serial.
--
Ivan Krsti=C4=87 <krstic@solarsail.hcs.harvard.edu> | http://radian.org
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
