Re: [Full-disclosure] Defeating Citi-Bank Virtual Keyboard Protection

[root <lyal.collins@xxxxxxxxxxxxx>]

Aditya Deshmukh wrote:

> The only most secure protection is a one time password with a challenge /
> response scheme. Most of the banks in europe already do this.
>
> They give out a calculator like device to the customers and when u want to
> login you are presented with a challenge that you punch into you device
> which spits a response that you enter that into the form....
>
> Costly for the bank but very effective security for the customer and bank in
> terms of gain in security and decrease in losses due to fraud ....
>
>
> - Aditya
>
>
>
>
> ________________________________________________________________________
> Delivered using the Free Personal Edition of Mailtraq (www.mailtraq.com)
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
>  
Respectfully, I disagree.
Although I never attended, this year's IT Underground conference in 
poland promised a hand on session breaking OTP tokens.  As Schneier 
says, OT token device merely force a tactical shift by the attacker, not 
a permanent fix. 
The credit card industry's 'fixes' have only been effective for weeks to 
months over the past decade, so I don't consider OTPs will make much 
difference relative to the cost in the mid-long term.

Lyal
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/