Re: Banking on Stupidity

[prev] [thread] [next] [lurker] [Date index for 2006/12/25]

From: Phil Pennock
Subject: Re: Banking on Stupidity
Date: 05:45 on 25 Dec 2006
On 2006-12-21 at 17:48 +0100, Philippe Bruhat (BooK) wrote:
> Even when all banks will provide tokens such as SecurID cards, phishers
> will create fake sites and try to use the small window during which
> the one-time password is still valid to enter your account (think how
> captcha are defeated by robots using humans to decypher the images).

My bank in NL uses challenge-response; card goes into a reader, unlocked
with PIN, 8-digit challenge and 6-digit response.  It's vulnerable to
MitM attacks but I use vaguely trusted client machines and check that
the SSL cert is signed by the same CA as it was the previous time and I
look carefully at the URL in a vague attempt to spot homoglyph attacks.

The challenge-response is similar to the Cryptocard RB1 in
challenge-response mode, if anyone's used those.

My bank in the USA uses passwords and has already managed to screw me
around in other ways such that I want to change banks.  Offlist, anyone
got any recommendations for a US bank which actually has something
bearing a passing resemblance to competent online security?

-Phil
There's stuff above here

Generated at 20:02 on 28 Dec 2006 by mariachi 0.52