[127268] in cryptography@c2.net mail archive
Re: The wisdom of the ill informed
daemon@ATHENA.MIT.EDU (Perry E. Metzger)
Wed Jul 2 08:31:42 2008
To: Ivan =?utf-8?Q?Krsti=C4=87?= <krstic@solarsail.hcs.harvard.edu>
Cc: Stephan Neuhaus <neuhaus@st.cs.uni-sb.de>,
Cryptography <cryptography@metzdowd.com>
From: "Perry E. Metzger" <perry@piermont.com>
Date: Wed, 02 Jul 2008 07:19:57 -0400
In-Reply-To:
<64A110B6-3261-45BF-90F4-18320AD2AC00@solarsail.hcs.harvard.edu> ("Ivan
=?utf-8?Q?Krsti=C4=87=22's?= message of "Tue\, 1 Jul 2008 23\:53\:11
-0400")
Ivan Krsti=C4=87 <krstic@solarsail.hcs.harvard.edu> writes:
> On Jul 1, 2008, at 12:46 PM, Perry E. Metzger wrote:
>> My experience with European banks is quite limited -- my consulting
>> practice is pretty much US centric. My general understanding, however,
>> is that they are doing better, not worse, with login security.
>
> As a data point, the largest bank in Croatia used to mail customers
> pre-printed TAN lists. Some number of years ago, they switched to
> (non- SecurID) tokens which require a 4-digit PIN to turn on, and
> then provide two functions: a login OTP and a challenge/response
> system for authorizing individual transactions. Your username is
> simply the token's serial number, though it's not clear if these are
> in fact serial.
That is far, far better than the average US bank.
Perry
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
