mailing list archives
Re: Statistical Attack Against Virtual Banks
From: securit () ONLINE NO (HC Security)
Date: Wed, 9 Feb 2000 09:06:10 +0100
Here in Norway I don't know of _any_ "virtual bank" which doesn't _at
least_ use one-time passwords, or so-called digipasses (the user types his
PIN on an small, personal calculator-type device which returns a 6 digit
code to use for authentication in the virtual bank - this code expires
after 15 min or so).
I don't see why this is better than a PIN, unless it is a separated
device (with the overhead of the user having to carry this token). In
addition, if I know how the device generates the code from the PIN, this
only represents an extra step in the attack.
I was a little quick there. The one-time passwords (numbers) and digipasses
won't appear more secure when it comes to the statistical attack. However,
they drastically improve the security for the individual user as it
prevents or hinder other types of attacks/hacks. Also, each digipass are
hardcoded so they generate the key differently. What's more of a problem is
the banks tendency to choose too short public/private keys (512/40 is common).