On 26 Mar 2009, at 13:57, Leif Nixon wrote:
Well, some banks over here have a authentication system that uses a
hardware crypto token with a keypad. You use it for a challenge-
response
procedure to log in to the Internet banking site - nothing new so
far -
but you also use it to sign (using challenge-response) each bunch of
transactions you perform on the banking site. And - this is the key
point - to sign the transactions you actually enter certain parts of
the
transaction data (like the total amount to transfer) into the crypto
token.
Even with total control over the client PC, it's real hard for an
attacker to do anything really evil in that setting.
But check this analysis of the UK version, which seems to be almost
exactly as described...
http://www.cl.cam.ac.uk/~sjm217/papers/fc09optimised.pdf
--
-- Jim
--
James Cownie <[email protected]>
_______________________________________________
Beowulf mailing list, [email protected]
To change your subscription (digest mode or unsubscribe) visit
http://www.beowulf.org/mailman/listinfo/beowulf
