[17783] in cryptography@c2.net mail archive
Re: the limits of crypto and authentication
daemon@ATHENA.MIT.EDU (Peter Gutmann)
Mon Jul 11 13:39:52 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
From: pgut001@cs.auckland.ac.nz (Peter Gutmann)
To: cryptography@metzdowd.com, dan@geer.org
In-Reply-To: <20050709222422.74FDA1BF96C@absinthe.tinho.net>
Date: Sun, 10 Jul 2005 23:29:08 +1200
dan@geer.org writes:
>Take a look at Boojum Mobile -- it is precisely the idea of using the cell
>phone as an out-of-band chanel for an in-band transaction.
>
>http://www.boojummobile.com
Banks here have been using it to authenticate higher-value electronic
transactions as well. The way it works is that for transactions with a
combined value over the default floor limit of NZ$2.5K you have to use an
additional PIN sent via SMS to a pre-configured number to authenticate the
session. The PIN authenticates that particular session (not just one
transaction), with a fee of NZ$0.25. It's not perfect, obviously, but that
was seen as the best tradeoff between cost, user convenience, and security.
<grumble>A few years ago I wanted to do this out-of-band authentication as a
research project, and at the time couldn't find anyone interested in it; now
they've paid an arm and a leg for it themselves, sigh</grumble>.
Peter.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
