Court Rules Passwords+Secret Questions=Secure eBanking 284
An anonymous reader writes "A closely-watched court battle over how far commercial banks need to go to protect their customers from cyber theft is nearing an end. Experts said the decision recommended by a magistrate last week — if adopted by a US district court in Maine — will make it more difficult for other victim businesses to challenge the effectiveness of security measures employed by their banks. This case would be the first to add legal precedent to banking industry guidelines about what constitutes 'reasonable' security. The tentative decision is that a series of passwords + some device fingerprinting is enough to meet the definition of 'something you know' + 'something you have.' The case has generated enormous discussion over whether the industry's 'recommended' practices are anywhere near relevant to today's attacks, in which crooks usually have complete control over the victim's PC."
One-time pads (Score:4, Insightful)
We've been using one-time pads in Finland for a long time, and they do the job.
What's the issue?
Re:One-time pads (Score:4, Insightful)
well. Here in the US we don't feel like spending money on security.
Re:One-time pads (Score:5, Funny)
Maybe we can let the TSA take over computer security. You can have a couple of brawny perverts in front of every computer reading to cup your genitals before you go to pay some bills. Add in a X-ray machine to toast your testicles, and you're ready to go!
Re:One-time pads (Score:5, Funny)
Re:One-time pads (Score:5, Insightful)
Now Security Theater, that's entertainment!
Re: (Score:2)
We've been using one-time pads in Finland for a long time, and they do the job.
What's the issue?
We're just trying to balance our checkbooks, not take over the world.
Re: (Score:3, Funny)
Re: (Score:3)
It seems Europe in general is way ahead of the US when it comes to security in on-line banking.
My on-line banking (with a Dutch bank) goes back some 18 years now. The first system I used required dial-in to a dedicated telephone number using a 2400 baud modem (I didn't have Internet options yet - not even dial-up - and 2400 baud was not the fastest available but at the time quite normal), logging in with user name and password to a telnet like system, and to authenticate each transaction I had to enter a n
Re: (Score:2)
Other banks started using a separate calculator to create the one-off numbers. This was a physically separate device, not on the computer itself.
You can buy those little random number generator tokens for several MMOs, such as World of Warcraft.
I've got one for Final Fantasy XIV since it came with the collector's edition. (Yes, I regret that purchase.)
My bank (well, credit union) doesn't offer it as an option, instead requiring you to answer three "security" questions instead.
I really wonder when the US will catch up.
So, there's your answer. We care more about our online security for video games than we do about the security of our banks.
We have the technology to do better. (Well, maybe not
Re: (Score:2)
I really wonder when the US will catch up.
So, there's your answer. We care more about our online security for video games than we do about the security of our banks.
I think you misstate that a bit. It's probably the games COMPANIES that care more about keeping their accounts secure than banks do - most of their customers don't really understand/know about/care much about online security. This may or may not have to do with liability (I suspect it does), where the game company stands to lose more than a bank in case of compromised accounts. Financially or in terms of goodwill or whatever.
Their customers don't know much about on-line security. They shouldn't need to: le
Re: (Score:2)
We've been using one-time pads in Finland for a long time, and they do the job.
What's the issue?
I would love for you to explain to me how that would do you any good when your own system is compromised and an attacker can display anything they want on your screen. When you just entered your OTP you didn't just transfer $100k to the attacker did you? Ooops....
Re: (Score:2)
Osuuspankki (http://www.op.fi/) has introduced a "extra verification" for payments. It's not used on all payments, but if the bank detects something odd (for example, you wiring money to someone you've never done before, or large amounts), it sends an SMS to your cell phone with the information about the payment you just made and asks to type in the code you receive in the text message.
So basically, if you have a rooted box, and you access your bank and think you are paying â30 for electricity bill and
Re: (Score:2)
...and of course Slashdot doesn't support euro symbol when typed. I think you get the point anyway. Should have used HTML escape I guess for €
Re: (Score:2)
The only successful attack-vector would be to have an active, complete man in the middle assault within the ongoing HTTPS session, with the ability to process your inputs, change the recipient of the money, and change the output data-stream on the fly without you or the bank software noticing it.
All of which could easily be done by a trojan on your PC, in a thousand different ways. The simplest would be to modify your web browser.
Re: (Score:2)
The only successful attack-vector would be to have an active, complete man in the middle assault within the ongoing HTTPS session, with the ability to process your inputs, change the recipient of the money, and change the output data-stream on the fly without you or the bank software noticing it.
This is a really, really far-fetched scenario and is unlikely to present itself due to the complexity of the attack. However, while being THEORETICALLY possible, the transactions outbound from your own bank take two days to process, during which such scams can be reversed or audited.
Given this, the plausibility of your post hinges on a very, very frail thread.
If I have complete control over your computer why do I need to launch a man in the middle assault? What would be the point?
What would prevent me from snagging your banks interface and changing it to make you think your communicating directly with your bank? There are several toolkits available to do just this. It may take some time however this has been done successfully in the past and requires very little technical skill to implement.
That people trust schemes like these when it does nothing to protect
Re: (Score:2)
....and even THEY are insecure enough that banks switched to two-way authentication (via computer + cellphone) here by now.
Re:One-time pads (Score:5, Insightful)
I think you have it the wrong way around. It's an exceptionally hard problem to have a highly secured end user network. It's an easy problem to have stronger authentication mechanisms.
One time pads are not new, or difficult. Two-channel authentication is not new, or difficult. These are not particularly expensive solutions to implement, and would cut down on fraud significantly.
So why do the banks resist the idea?
Personally, I use a bank with two-channel auth, and refuse to use electronic banking that relies on anything sent via my browser alone - the browser is insecure software, and can be taken over without the victim being aware of it, even when the victim is following good security practices.
Re:One-time pads (Score:4, Interesting)
I'm curious.. what is the other channel?
Here in NL there's two major forms of online banking authorization (separate from the account login, of course), both are a challenge/response type, and both perform the challenge in the browser.
The first one, the response is either on a paper sheet you have (which you can then move to a computer file or whatever if you want to spend some time typing it in) or is sent to your cellphone along with the amount (so that no transactions can sneak in without it being shown in the same text).
The other one, the response is something generated on an external device - looks like a little calculator - after entering the challenge.
In both cases, the response is also entered into the browser.
Despite these more-or-less two-factor authorizations, I'd consider this to be a single channel.
I'm not sure what other channel could exist either... a custom application that communicates over an SSL'd connection or secure FTP or whatever could just as well be targeted by malware authors.. perhaps even moreso considering its focused purpose.
A true separate channel would probably be a modification of the aforementioned challenge-via-text method to also send the response via text. Or calling the bank and checking with an employee that the order as you see it on your screen is indeed the order pending and then proceed to provide the response to the presented challenge. The former could be automated, the latter.. not so much?
So I'm curious what the 2nd channel in your banking situation is.
Re:One-time pads (Score:4, Interesting)
Re: (Score:2)
Re: (Score:2)
Though the family is still in Alaska, and I used to use Wells Fargo, which offers SecureID (or should that be InSecureID now?), and Wells Fargo is about the only national bank with a real presence there. Bank of America has (last I checked) a single ATM in the entire state, so you could theore
Re: (Score:2)
Hypothetical attack on that scheme: wait for you to type in a code, cause the browser to hang for a few seconds before transmission to the bank, perform malicious transaction with the intercepted code during those few seconds.
Re: (Score:2)
Re: (Score:2)
How do you know what transaction the code is authorizing? Does the text message also contain human-readable information with all details about the transaction?
Re: (Score:3)
Does the text message also contain human-readable information with all details about the transaction?
Yes.
Re: (Score:2)
Nifty. What bank is this?
Re: (Score:2)
Re:One-time pads (Score:4, Informative)
If the bank attaches transaction details, this is a valid method of circumventing the OTP vulnerablity.
There are exploits in the wild that hijacked MSIE HTML rendering layer. So you want to transfer $15 to your aunt. You type in the amount, the account number, all details match. You press "send" and the trojan sends out the scammer's account number and your total balance as amount to transfer. Now the bank asks you to confirm the transfer - and the trojan displays your aunt's info you have just entered, asking for OTP code. And you sign the transfer to the thief's account with a valid OTP code.
Now the SMS will contain some digits of the account number and you can verify if it's your auntie who will receive your cash, even if your computer has been compromised.
Re: (Score:2)
The ideas with the little calculator and the one-time-SMS work just fine, even if the bad guys have compromised the browser, the results of the little calculator or the one time SMS wont be usable.
Good banking security isn't rocket science and it doesn't need to cost banks a fortune either.
Re: (Score:3)
Sure they will, if you have compromised the browser completely.
Re: (Score:2)
Fixed that for you.
Re: (Score:2)
Text message challenge, web response.
In order to subvert a transaction, the attacker would need to own both communication channels - my browser displays which transaction I'm approving, the text message displays the same thing. If they don't agree, one or the other has been tampered with.
If they do agree, it's too late for the attacker to alter the transaction, and my response via web can only be blocked, not used for a different transaction.
It's two channel because an attacker needs to subvert both
Re: (Score:3, Interesting)
Don't underestimate the power of the money that can be made by subverting online banking.
If the machine on which you do banking is not secure it becomes very hard to secure a transaction unless you have a true second channel. For example confirm a transaction with an SMS or phone call, although with smart phones this can no longer be guaranteed to be a second channel.
The latest generation of man-in-the-browser malware sits between the user and the bank and can alter transactions that the user has legitimate
Re: (Score:2)
So you use an authentication like the little calculators some banks give. Things that can't be compromised by hackers.
Unless the transaction details you see on the screen match the real transaction details, the special hash displayed by the little calculator wont match and the bank will reject the transaction.
Re:One-time pads (Score:4, Insightful)
No it couldn't because the idea is that you enter the transaction details (amount and account number) into the little calculator thing.
Re: (Score:2)
So your bank authenticates every single thing you do online via a second channel?
Re: (Score:2)
Transactions to unapproved accounts, where "approved" means either the bank knows the recipient and can hunt them down if they commit fraud, or I've explicitly said the recipient is OK by me (which requires external auth to do :-)
Re: (Score:2)
refuse to use electronic banking that relies on anything sent via my browser alone
In most countries that would completely rule out using any form of online banking at all.
Where I live, the only banks that don't charge me insane monthly fees are only available online, they have no tellers to visit. Additionally, no banks in the country offer any more secure banking than asking for a password. and worse yet, one of the banks I have dealt with in the past required the password to be exactly 6 characters long (no more, no less) and completely numeric.
You may be lucky enough to live somewhere
One-time pads bypassed by Zeus and Spyeye (Score:2)
Re: (Score:2)
passwindow (what shieldpass uses) doesn't even have a valid SSL cert. Maybe it's an ok product, but I have trouble trusting a web security provider with an expired SSL cert (and it was only valid from 2011-05-23 - today).
It also completely ignores other auth channels - how about email, ssh, imap, ldap, radius, etc?
And it's only 4 digits, and parts of those digits are sent to the user - enough that one should be able to narrow it down quite a bit.
Worse, there's two huge proximity weaknesses...
* if someone sh
Re: (Score:2)
At some point the "victim" businesses need to be responsible for the physical and network security of their systems. It's unreasonable to expect banks to have to assume that every connection may or may not be coming from a machine not under the control of their customer.
Not that I'm disagreeing with you, but playing devils advocate for a moment, it is highly unreasonable for you to assume that any institution should be held 100% liable for every connection made to any system directly connected to the Internet.
That's kind of like suing Microsoft for a vuln that they *should* have known beforehand. The term "zero-day" wasn't coined because it sounds cool.
Re: (Score:2)
It's unreasonable to expect banks to have to assume that every connection may or may not be coming from a machine not under the control of their customer.
Maybe it's the whiskey, but I tried five times to parse that...short of taking out a pen and paper and working it out, I'm not sure what you are trying to say here.
Secure = Secure Enough (Score:3)
Re:Secure = Secure Enough (Score:5, Interesting)
Who is your favorite Disney character?
What is your favorite color?
You stand a good chance to get the right answer for any given account if you go with Mickey / Minnie or red / blue. How is that really security?
Re:Secure = Secure Enough (Score:5, Interesting)
I always answer those questions, with a different password. This results in many people going, "LOL So your mothers maiden name is jks)*8h9*H*(BY?"
This is when those are used for verbal authentication over the phone. Then on top of this, I just need some reasonable password management.
All good!
Re: (Score:2, Interesting)
I was doing that with my bank (the 'mothers maiden name' answer I had, while technically correct, wasn't the obvious one), until one day when I had to call in and was informed that my answer was wrong. My mom has an account at the same bank, and somehow they had been able to 'fix' it; I have not been able to change it back. Nor did I ever get an answer as to why the change was made.
Re: (Score:3)
WOW! That's not good. So, they ENFORCED bad security on you. By revealing something which could be found out.
That's insane.
Re: (Score:2)
Exactly. Though, sometimes I do completely random stuff, other times, when I'm forced to write a pile of these, I tend to get a little angry by the last one. So they're often of the form:
%#@02-1as who the fuck wrote this fucking system, he is surely a retard of the highest order
If they'll allow me to use that many characters. This is fine and dandy, if I only see it. But sometimes the support personnel take offence.
Re: (Score:2)
The questions should serve as mnemonic such that if they ask for your favorite color you may as well go with tomatoandpepperred or a favorite Disney Character go with mysonlovesthemousewithbigears.
The problem is that people want something quick and easy to remember which normally turns into Red or Mickey
Re: (Score:2)
This has a name (Score:5, Insightful)
There's a name for this sort of security - "Wish it was two factor" [thedailywtf.com] security.
And now a judge is ruling that it's enough, along with a "device fingerprint" that can be trivially faked? That is complete bullshit.
Re:This has a name (Score:4, Funny)
There's a name for this sort of security - "Wish it was two factor" [thedailywtf.com] security.
And now a judge is ruling that it's enough, along with a "device fingerprint" that can be trivially faked? That is complete bullshit.
Either nobody asked the experts or the judge didn't care. I hope he uses online banking and finds himself with a negative balance some day.
Re:This has a name (Score:4, Informative)
I'm sure he's not depositing the check from the banking industry in an American bank account, so it shouldn't be a worry for him.
Re: (Score:2)
Either nobody asked the experts or the judge didn't care. I hope he uses online banking and finds himself with a negative balance some day.
Simply a reminder.
It is your job as plaintiff or defendant to make your case through evidence and arguments that everyone in the courtroom can see and hear.
Not to ask the judge and jury to fill in the blanks behind closed doors.
Re:This has a name (Score:4, Interesting)
If there's zero case law on something. Any case law is good. Because it creates both a starting point, and a breech point for other lawyers to prove that the system is faulty. It's not bullshit, well actually it is but not in the way you think. It's bullshit that it's taken nearly 15 years for the first real case to come to light creating case law.
Re: (Score:2)
And now a judge is ruling that it's enough, along with a "device fingerprint" that can be trivially faked? That is complete bullshit.
Bullshit you say? If PI can be legislated to a value of 3.2 [wikipedia.org] and a city can ban Styrofoam cups because water is used in their fabrication [msn.com], why not?
good (Score:4, Interesting)
From a consumer perspective, the lower the bar is for "effective security measures" the better, because if an attacker breaks ineffective security measures, you're basically on the "caveat emptor" hook, meaning you failed to do due diligence, therefore any losses are yours. If the security's effective, the bank's on the hook for any losses due to theft. Think of it this way, your bank has a wooden safe, and a robber gets in, you try to sue the bank for your losses, the bank says "well, duh, we had a wooden safe, what'd you expect?", and gets off the hook, while if the bank has a steel vault, you sue, and the bank's required by fiduciary duty to cover your loss, even though it's not negligent. Kinda twisted, huh? But then again, look at the rhetoric flying around Washington about the banks, banking law is truly down the rabbit-hole.
Re: (Score:2)
Some people aren't living paycheck to paycheck with just debit and credit card charges to watch out for. That law/rule doesn't cover me if someone gets into an investment account and clears it out. What if they get into my bank account and wire the contents of my checking and savings accounts? Once it's wired, the thief converts it to cash and it's gone. That shit goes through in minutes to hours. By the time I get my monthly statement, they're in the Bahamas sipping rum-based drinks. Well, I'd get an
why not use some sort of authenticator? (Score:5, Interesting)
I find it odd that Blizzard offers more security for a World of Warcraft account than your average bank.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Blizzard spends (or used to spend) a very large amount of money on support of the people who had their accounts stolen. It was a pure business decision for them - invest in authenticator technology, save on staff.
Re: (Score:2)
That still won't completely prevent malicious activity when the attacker has control of the end user's machine.
Re:why not use some sort of authenticator? (Score:4, Informative)
Actually it still does, as you need a separate device thats not connected to the computer in any way.
Re: (Score:2)
Only to log in, usually. Once logged in the attacker can gain control of the authenticated session and use it for malicious activity.
Re: (Score:2)
Calm down (Score:5, Insightful)
What banks really need to do is give you options to lock down your online account. I want online banking, but I only want to transfer money between my accounts with that bank and 1 other account. Why can I not pre-approve those accounts and disable everything else unless I go down to the bank? Seems like a simple concept. Even if I were to get hacked, they could only move money around in my own account!
Re:Calm down (Score:4, Insightful)
Seriously, everyone calm down. If your banks security sucks, switch. It's really easy. I switched banks on monday... it took me all of about an hour.
Know of any US banks that offer SecureID or something similar? I'd sure like to know, as in order for my LLC to accept credit cards I have to have a US bank, so it's not like I can shop around even if I wanted to.
What banks really need to do is give you options to lock down your online account. I want online banking, but I only want to transfer money between my accounts with that bank and 1 other account. Why can I not pre-approve those accounts and disable everything else unless I go down to the bank? Seems like a simple concept. Even if I were to get hacked, they could only move money around in my own account!
I agree, I mean, it's not like banks want to you easily move money out of an account anyway.
Re:Calm down (Score:5, Insightful)
If your banks security sucks, switch
Switch to another insecure bank? The problem is that this shitty security is industry standard.
And if you don't mind me asking... What was the name of your first childhood pet?
Re: (Score:2)
Username is a 12 digit random number, provided by the bank.
Password is 12 characters at least 2 numbers and 1 special character.
3 unsuccessful attempts locks the account.
Unlocking the account requires a call to customer service who then hangs up and calls me back.
At that point they ask me what my pass code is.
I had to provide the pass code, in person, in writing at the bank when I opened the account.
If I log in from a new IP address, the bank auto-dials my house... I then have to punch
Re: (Score:2)
Re: (Score:2)
They, as in the person you were just speaking to. Can you not recognize a voice you spoke to less than 30 seconds prior? It's not like some random caller calls you back, it's the person you just spoke with.
Re: (Score:3)
And if you don't mind me asking... What was the name of your first childhood pet?
Ah-ha, I didn't actually use the name of my first childhood pet!
Because her name was "Meg" and that was too short, since apparently you must answer with at least five characters. So instead I use the name of my second childhood pet.
Except his name was "Max" and that's also too short.
And I'll never tell you about my third childhood pet, a black cat name Licorice! ...oops. I wonder if I can change the answers to my security questions? I guess I'll need to go get a fourth childhood pet now, and make sure to na
This is about liability, not security (Score:3)
The company suing the bank had seen the bank's security measures. They had the opportunity to judge whether the bank's security measures were secure enough for them. The bank should win unless the precautions were unreasonably weak.
You would think everyone involved would be insured against these kinds of losses.
Re: (Score:2)
What's more, the bank account was compromised because of the account holder's lousy security that ended up with them getting keyloggers on their computers. Why should the bank be liable for that?
Measures= joke (Score:2)
I worked in a business where we built point-of-sale terminals.
The banks are already crazy-serious about certifying devices that talk to their systems.
When you think that the future is everyone and their phone conducting banking operations and that most of those devices have multiple known exploits, you expect things will only get worse.
It's time for businesses to get more paranoid (Score:3)
If you have a business account where the bank won't cover losses from fraud; if your bank doesn't implement effective security measures; if you have some reason to stay with that bank anyway; if you feel compelled to sign up for online banking:
Use a dedicated computer. They're cheap. You can afford to have one computer that's off limits for web surfing, online videos, dancing cursors and so on. For extra credit put it on a separate LAN segment, and of course you should have disabled Autorun anyway. Set it up so it can only connect to your bank's web site and to Windows Update.
Re: (Score:2)
Set it up so it can only connect to your bank's web site and to apt-get.
FIFY
Re: (Score:2)
+1 dedicated computer.
that's exactly what i'm setting up for my mom for her personal online banking - a netbook running linux with strong injunctions from me to use it and only it for banking, in combo with separate email accounts for & only for banking. i admit i haven't done the same for myself, but i plan to soon. ordinarily there's no way any linux distro could survive in the hands of my mom, but if it's only used for connecting to a couple of sites, perhaps it has a chance.
Who is to blame? (Score:2)
The case has generated enormous discussion over whether the industry's "recommended" practices are anywhere near relevant to today's attacks, in which crooks usually have complete control over the victim's PC"
And who's fault is that? At what point does a bank's responsibility for a users poor choice of system end?
Re: (Score:2)
Wrong rhetorical question. I think what you meant to ask was "when are the fat corporate pricks who market incompetently designed operating systems which no professional of reasonable competence would want his name associated with - when do we hold them accountable?"
Banking security? (Score:3)
Banks are monumentally incompetent at securing their environments, so each individual needs to become accountable for the security of anything that takes place outside the bricks and mortar of their bank. Mmy strategy is to distribute my funds across a few different banks.
No password sharing minimises the risks, and distribution minimises the impact.
This will not be solved on purpose (Score:2)
But it is not the fault of the banks. Governments around the world, including in the US, are very committed to spying on all of their citizen's networked interactions whenever they wish. Establishing much more perfect security including near unbreakable encryption is the last thing that governments wish to see. So if the banks had much more perfect security software then it would quite likely be illegal to use in most countries. If it has government back doors then it is that much less secure.
It's only a District Court case (Score:2)
A decision by a U.S. District Court is not even binding within the same jurisdiction of that court. Yes, other District Court judges might give the decision some weight; but they are not required to do so.
Only when the U.S. Circuit Court of Appeals upholds a decision from a District Court in that circuit does the decision become binding on all the District Courts in that circuit. Even then, the decision is not binding in other circuits. To be binding throughout the U.S. requires a decision from the U.S.
What are banks for? (Score:5, Interesting)
Why do we need a judge to make the decision? (Score:2)
If you don't think a bank offers enough security, don't use online banking.
Re: (Score:2)
If it doesn't take much more than your name and bank account number to open an online banking account, just "not using" it isn't going to increase your security.
Two account passwords (Score:2)
A little something of "how bank phishing worked" (Score:2)
Allow me to elaborate on the timeline of bank phishing, why this is horribly insecure and how even one time pads failed. I've spent my time in the early/mid 2000s working on this problem for some bigger banks in Europe, and if anyone feels like challenging this court's decision, I'll gladly come as expert witness, just to make this judge look like the clueless person he obviously is.
The first and foremost reason why this is insecure is that all these "security" (I'll use the term loosely here) schemes fail
A Magistrate? (Score:2)
Might as well call it a "fake judge". Magistrates are the courtroom equivalent of a "maintenance programmer", brought in to handle the menial stuff that real judges don't want to deal with. We're letting one of these guys decide a huge issue like this? Not good, not good at all.
The Secret to Secret Questions (Score:2)
First off, if your machine is controlled by your adversary your probably fucked one way or another regardless of what your bank does if you give your attacker enough time. Also I run windoze 7... feel free to troll me.
With that out of the way I highly recommend using keepass or something similar, not only do you get the obvious benefit of stronger and unique passwords but if a form wants answers to secret security questions, just pick a question, any of them it doesn't matter, and use a long random hex key
A true solution (Score:3)
What you see on your screen may be fake, and what the bank sees you type may be fake too.
The only thing that may not be faked are your identification to the bank, when using one-time-pad.
The obvious solution, which is too deep for bankers and judges, is to secure all the necessary information.
In practice this means having something looking like a calculator which shows each transaction,
having cryptographic secure two-way communication to the bank via the net, and being tamperproof.
A sort of two-way code calculator.
Comment removed (Score:3)
There is a fairytale of 1001 night (Score:3)
which involves old/new olives. Funnily the judge does not try to verify by himself but call somebody who is a trade of olives and knows about the topic of old/new olives.
Here in Sweden (Score:4, Interesting)
Here in Sweden - my bank uses a keypad - where the user first must key in a pincode to activate the device. Then to login - you must key in your national security number (userid) - from this the bank generates a code - I key this code into my unlocked keypad - and get a return code. This is I guess similar to the RSA key generation (the device is not supplied by RSA incidentally) - except that the whole activity is locked down by a 4 key pin in my handheld device - which I guess is the key to the code generation. My bank thinks this security is impregnable (the last time I questioned it they laughed at me) - but after the recent RSA hack I really wonder if this is the case. If the generation algorithm becomes common knowledge (ie the security provider is hacked) - then all that is needed is to identify the 4 digit pin code.
Re: (Score:2)
As long as it is still sent through the same channel (i.e. computer) it does not add to security. The bank can maybe then verify that it's really you who issues the order, but it cannot verify in any way that the data sent is what you entered.
Re: (Score:2)
No, but if part of the second factor is your phone receiving an SMS with the transaction details:
Transfer to:
BSB: 123456
Account: 987654321:
Name: Bob Doofus
Amount: $325.91
PIN: kJ64Ap
Now you can check the transaction the bank claims to have received from you. Not only can you abort if the details are wrong, you know your machine (or the comms path) is compromised. If it's correct, you punch in the PIN - which identifies the transaction to the bank rather than retransmitting the details.
Re: (Score:2)
Yup, and that's why it's done that way in developed countries.
Re: (Score:2)
Because you can have 10 figures in your WoW account. Duh.