[prev] [thread] [next] [lurker] [Date index for 2006/12/25]
On 2006-12-21 at 17:48 +0100, Philippe Bruhat (BooK) wrote: > Even when all banks will provide tokens such as SecurID cards, phishers > will create fake sites and try to use the small window during which > the one-time password is still valid to enter your account (think how > captcha are defeated by robots using humans to decypher the images). My bank in NL uses challenge-response; card goes into a reader, unlocked with PIN, 8-digit challenge and 6-digit response. It's vulnerable to MitM attacks but I use vaguely trusted client machines and check that the SSL cert is signed by the same CA as it was the previous time and I look carefully at the URL in a vague attempt to spot homoglyph attacks. The challenge-response is similar to the Cryptocard RB1 in challenge-response mode, if anyone's used those. My bank in the USA uses passwords and has already managed to screw me around in other ways such that I want to change banks. Offlist, anyone got any recommendations for a US bank which actually has something bearing a passing resemblance to competent online security? -PhilThere's stuff above here
Generated at 20:02 on 28 Dec 2006 by mariachi 0.52