[19122] in cryptography@c2.net mail archive
Re: [Clips] Banks Seek Better Online-Security Tools
daemon@ATHENA.MIT.EDU (Florian Weimer)
Tue Dec 6 12:03:41 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
From: Florian Weimer <fw@deneb.enyo.de>
To: Eugen Leitl <eugen@leitl.org>
Cc: cryptography@metzdowd.com
Date: Mon, 05 Dec 2005 19:56:05 +0100
In-Reply-To: <20051205075458.GP2249@leitl.org> (Eugen Leitl's message of "Mon,
5 Dec 2005 08:54:58 +0100")
* Eugen Leitl:
> The German PIN/TAN system is reasonably secure, being an effective
> one-time pad distributed through out of band channel (mailed dead
> tree in a tamperproof envelope).
Some banks have optimized away the special envelope. 8-(
> It is of course not immune to phishing (PIN/TAN harvesting), which
> has become quite rampant recently.
And we face quite advanced attack technology, mainly compromised end
systems. We are well beyond the point where simple tokens (like RSA
SecureID) would help.
> I do have a HBCI smartcard setup with my private account but don't use it
> since it's locked in a proprietary software jail.
The way the current attacks are carried out, smartcard-based HBCI is
less secure than the PIN/TAN model because with HBCI, you don't need
to authorize each transaction separately. At this stage, few people
recognize this problem, and German banks put high hopes on
smartcard-based online banking, despite its high costs in terms of
consumer devices and support calls.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
