Home   Groups   Digests   Personalise   Search   Login
  POV-Ray : Newsgroups : povray.off-topic : Hardware : Re: Hardware Server Time
28 Jul 2024 22:28:49 EDT (-0400)
  Re: Hardware  
From: clipka
Date: 26 Dec 2013 02:37:36
Message: <52bbdcc0$1@news.povray.org>
 
Am 26.12.2013 01:23, schrieb Warp:
> clipka <ano### [at] anonymousorg> wrote:
>> Am 25.12.2013 13:39, schrieb Warp:
>>> clipka <ano### [at] anonymousorg> wrote:
>>>> What bank uses a sheet of single-use codes and thinks that it's safe?
>>>
>>> Well, much safer than a fixed password.
>>>
>>> You can't do anything with the sheet alone if you don't have the user's ID.
>>> Granted, it's not impossible to acquire both, but if you don't store your
>>> ID anywhere and instead have it memorized, it becomes difficult. (Basically
>>> they would need to install some spyware in the computer you are using in
>>> order to get the ID, and then physically steal the passcode sheet. Not
>>> impossible, but not likely to happen.)
>
>> Just two words:
>
>> (1) Phising.
>
>> (2) Man-in-the-middle attack.
>
> Does not help to get the physical code sheet.

Does not /need/ to get the physical code sheet. If someone can get in 
between your screen and the online banking portal, they can tamper with 
the transaction details to transfer an entirely different amount of 
money to an entirely different target bank account.

Note that HTTPS only protects the network transmissions, not your 
browser output.

>> (B) You get a code generator from your bank. Typically this would be a
>> combination of a bank card with a built-in chip, plus a card reader with
>> a built-in display to make sure that the code is generated from the
>> transaction details you desire.
>
> How exactly is this different from a sheet of one-use codes?
> (Except, you know, the obvious: That method requires you to connect
> a special device and software to your computer and configure it
> appropriately.)

As the code is now generated from the transaction details, tampering 
with them is much less attractive for an attacker: If they hide any 
changes from the code generator, the code won't be valid for the 
modified transaction. If they pass the changes to the code generator, a 
cautious user will notice that the details have been tampered with 
(provided of course that the code generator has an inbuilt display on 
which it shows the transaction details before spitting out the code, and 
it provides no attack vector between that display and the actual 
cryptographic engine).

As for "the obvious", that's actually a no-issue: The stand-alone device 
I mentioned does not need any software on your PC, and the only 
"configuration" required is a one-time calibration for your display 
size; from then on, use is as simple as holding the device's light 
sensor array against a flickering animation displayed in your browser.


Post a reply to this message

Copyright 2003-2023 Persistence of Vision Raytracer Pty. Ltd.