[127662] in cryptography@c2.net mail archive
Re: The wisdom of the ill informed
daemon@ATHENA.MIT.EDU (Ben Laurie)
Tue Jul 8 10:44:53 2008
Date: Tue, 08 Jul 2008 10:42:31 +0100
From: Ben Laurie <ben@links.org>
To: =?UTF-8?B?SXZhbiBLcnN0acSH?= <krstic@solarsail.hcs.harvard.edu>
CC: "Perry E. Metzger" <perry@piermont.com>,
Stephan Neuhaus <neuhaus@st.cs.uni-sb.de>,
Ed Gerck <edgerck@nma.com>, Cryptography <cryptography@metzdowd.com>
In-Reply-To: <64A110B6-3261-45BF-90F4-18320AD2AC00@solarsail.hcs.harvard.edu>
Ivan Krsti? wrote:
> On Jul 1, 2008, at 12:46 PM, Perry E. Metzger wrote:
>> My experience with European banks is quite limited -- my consulting
>> practice is pretty much US centric. My general understanding, however,
>> is that they are doing better, not worse, with login security.
>
>
> As a data point, the largest bank in Croatia used to mail customers
> pre-printed TAN lists. Some number of years ago, they switched to
> (non-SecurID) tokens which require a 4-digit PIN to turn on, and then
> provide two functions: a login OTP and a challenge/response system for
> authorizing individual transactions. Your username is simply the token's
> serial number, though it's not clear if these are in fact serial.
Barclay's Bank in the UK uses little chip&pin machines you put your
debit card into and provide the same functions as Ivan describes above.
I have a spare one I've been meaning to dissect to see what's inside
them. I wonder where I put it?
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html http://www.links.org/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
