|
 |
Am 25.12.2013 13:39, schrieb Warp:
> clipka <ano### [at] anonymous org> wrote:
>> What bank uses a sheet of single-use codes and thinks that it's safe?
>
> Well, much safer than a fixed password.
>
> You can't do anything with the sheet alone if you don't have the user's ID.
> Granted, it's not impossible to acquire both, but if you don't store your
> ID anywhere and instead have it memorized, it becomes difficult. (Basically
> they would need to install some spyware in the computer you are using in
> order to get the ID, and then physically steal the passcode sheet. Not
> impossible, but not likely to happen.)
Just two words:
(1) Phising.
(2) Man-in-the-middle attack.
>> Over here in Germany we're past that age. Codes dynamically generated
>> from transaction details it is for us.
>
> How does that even work?
There are two variants in use:
(A) Each time you submit a transaction via browser, you get a
transaction-specific authorization code via SMS to your mobile phone,
including some essentials of the transaction (like the amount of money
transferred, and the target bank account) to make sure that you and the
bank are talking about the same deal.
(B) You get a code generator from your bank. Typically this would be a
combination of a bank card with a built-in chip, plus a card reader with
a built-in display to make sure that the code is generated from the
transaction details you desire.
(As certified card readers are expensive, have never really taken off,
and would probably be difficult to integrate into web-based online
banking, the common solution is an inexpensive battery-powered
stand-alone device using optical transmission from web interface to card
reader.)
Post a reply to this message
|
|
