[16626] in cryptography@c2.net mail archive
RE: Banks Test ID Device for Online Security
daemon@ATHENA.MIT.EDU (Bill Stewart)
Wed Jan 5 11:38:57 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Tue, 04 Jan 2005 19:18:54 -0800
To: "R.A. Hettinga" <rah@shipwright.com>,
From: Bill Stewart <bill.stewart@pobox.com>
Cc: <cryptography@metzdowd.com>, <cypherpunks@al-qaeda.net>
In-Reply-To: <017630AA6DF2DF4EBC1DD4454F8EE29704776BE6@rsana-ex-hq1.NA.R
SA.NET>
>R.A. Hettinga wrote:
> > Okay. So AOL and Banks are *selling* RSA keys???
> > Could someone explain this to me?
At 12:24 PM 1/4/2005, Trei, Peter wrote:
>The slashdot article title is really, really misleading.
>In both cases, this is SecurID.
Yup. It's the little keychain frob that gives you a string of numbers,
updated every 30 seconds or so, which stays roughly in sync with a server,
so you can use them as one-time passwords
instead of storing a password that's good for a long term.
So if the phisher cons you into handing over your information,
they've got to rip you off in nearly-real-time with a MITM game
instead of getting a password they can reuse, sell, etc.
That's still a serious risk for a bank,
since the scammer can use it to log in to the web site
and then do a bunch of transactions quickly;
it's less vulnerable if the bank insists on a new SecurID hit for
every dangerous transaction, but that's too annoying for most customers.
----
Bill Stewart bill.stewart@pobox.com
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
