Slashdot Mirror

I'd much rather they use some type of two factor auth for online stuff rather than add a PIN that shifts the burden if stolen, and provides more chances to grab my PIN and empty my bank account.

I've had fraudulent charges 3 times in my life, every single one was done online, the PIN is useless, and likely the chip makes a minimal impact (though it does render card cloning useless in theory).

The chip seems like a solution to a problem that wasn't really even that big of a problem.

Well, you're using it wrong. The way it works here (Belgium) is: you get a card reader (with keypad and LCD) from your bank.
To buy something online, you put your card in the reader, enter a number that the online app generated (basically a nonce) in the reader, enter the rounded money amount in the reader, and enter your pin in the reader. These numbers all get hashed by the private key inside your card's chip, and generate a new number on the LCD. That number you enter in the online form (or it does it for you if you connect the reader via USB).

So that's basically 2-factor authentication, with your pin never being directly exposed. Hashing the amount makes sure no one can do a MITM attack and steal more than the input amount.

http://www.vasco.com/company/press_room/news_archive/2011/news_diginotar_reports_security_incident.aspx

Yes, because we all know hacking RSA compromises Vasco's security tokens

IT DOES NOT???
Oh my god. The months of preparation. The expensive dinners with the admin. The hack, the cryptoanalysis, the subterfuge!!
ALL FOR NOTHING!!!
My gooooooold!

No, I will NOT give up!
Watch out, Vasco! I'm not finished yet! All the WoW gold WILL BE MINE HA HA HA HA HA!!

Nice troll. http://www.vasco.com/products/product.html?product=70

Yes, because we all know hacking RSA compromises Vasco's security tokens

You mean like the swiss Postfinance? They ship you this device: http://www.vasco.com/products/digipass/digipass_readers/digipass_800_range/digipass_810.aspx You need to enter the number from the website, slip in your card, enter your pin and then enter the result back to the website. Really secure, except against phishing. Nothing really works against phishing (well smart user, but let's not kid ourselves here...)

Blizzard Entertainment started using a similar (optional) system for their Battle.net accounts to combat account theft - they offer a small hardware authenticator that is totally separate from the PC for $6.50. You first associate the authenticator's serial number with your Battle.net account, then any time you want to play, you log in with your user/pass, and they request a code from the authenticator. Press the button on the authenticator, and it displays a 6-digit number that you then enter online. The number is good for about 30 seconds, then becomes invalid. Their devices are Vasco's Digipass Go 6.

At first blush it appears to be a reasonably secure system, although Blizz also offers Java-based software versions with the same functionality that can be used on a variety of cell phones, so I'd wonder if the key generation algorithm could be cracked via that means. Even if it was, it seems that it'd still be difficult to generate a correct response without knowing the key that's registered with the system.

My bank issued me with a device called a Digipass which generates codes like those that have a life span of 36 seconds. The advantage of this is that I don't run out of codes if I have OCD and check my bank statements 100 times a day and I don't need to contact my bank for new codes. The code also expires after successful login, so there's no double teaming. For someone to successfully log into my account, they'd have to be attacking me as I do my transactions. But not even then, as each transfer has to be signed with a Digipass-generated code as well.

If an American bank were to issue Visa smart cards with a pocket-carried one-time-PIN generator, would you really switch to them? What if their interest rate or cash-back bonuses weren't quite as competitive as your current bank?

SE Banken in Sweden gives you a digipass, a little gizmo that looks like a keychain pocket calculator. To use it you enter a pin and two 4 digit numbers generated by the bank website. The digipass then hashes them to generate a four digit number which you enter to login and then to authorise each transaction.

Which may not be perfect, but I think it's pretty good. You need your pin and the hardtoken to do anything. https should take care of man in the middle attacks, but the hardtoken should help - the numbers they send you could be a hash of the time, amount, destination bank code and some random numbers. If someone proxies the bank and tries to make you sign for a different transaction, it should be possible for the bank to detect this.

I think these cost a few dollars, much less than the RSA token. And obvously a keylogger on the PC doesn't let the attacker to anything useful, so long as the signing keys in the device are not compromised.

The encryption hardware never leaves your possession. It does not electrically interface with the merchant system. It's used to generate a one-time-use PIN that you key into the merchant's terminal. The merchant doesn't get your original secret PIN, just the one you generated for your transaction.

My Belgian bank (Dexia) has the same thing too. They used to rely on a password and some java crap in your home directory (which is relatively secure, unless you have a trojan), but now they switched to something made by Vasco, which is secure even if your box is compromised (an attacker would be able to see all your account data after you logged in, but you need to key in a newly generated code to confirm transactions).

An extra advantage is that it works on any platform, as it's basically a website, and the little device that generates the code isn't hooked to your computer.

All banks in the Netherlands (as far as I know) use some form of strong user authentication for doing online banking. My bank currently uses Vasco's Digipass 810.

After coming to the US, I was surprised (and a little worried) to find out, upon opening an account at Wells Fargo, that all I need to log in is a plain old username/password combination. Are there no banks in the US that use some kind of more advanced authentication system?

There is one simple solution: don't store your bank information on your computer.
My bank uses a device which, combined with the bank card, generates 8 digit codes to use for authentication and verification.
This device is not connected to a computer.

For confirmation of any transaction you need to enter the confirmation code from the website on the device.
The device generates a signing code which must be entered on the website for confirmation.

it might be more manual actions, but it is also more secure.
My computer does not contain any bank information to get compromised.
To hack my account, they must have access to my pin number, my bank card and the reader.

The device I use in Istanbul is calculator like independent/dedicated device which they also offer a J2ME phone software lately.
http://www.vasco.com/

It seems your bank was seriously tricked by some MS puppet company.

Hmmm... after reading the article I have a stupid question popping up in head...
I live in Belgium and several banks here have switched to a card reader device
You just have to type in the number of your physical bank account card, then banks site generates a 8 digit passkey.
pop in your bank card, type in the generated passkey, type in your pin code and type in on the site the passkey the little device generates.

Voila... i'm banking... on any pc i want...
every time i make an online banktransfer, i have to repeat the above procedure

My wife hates it... she doesn't like that she has to type over these numbers, but i'm very happy with it.

What technology for a backpack?

Financials:

Go with a bank that is International and does Internet banking.
Be sure you can transfer money in a secure way (my bank uses http://www.vasco.com./
Your bank should have a BIC or SWIFT code to transfer international.
At least you should have the possibility to check incoming and outgoing money.
Debit-card and Credit-card from that bank. Master or Visa, depending on the part of the world you are going.

You should be able to check your ATM-withdrawals. There is a lot of fraud relating to that. Double withdrawals, up to the max of your credit-card. Sometimes the card doesn't pop out any more...
Never use ATM's when the banks are closed. Try to omit to use ATM's in tourist-hotspots.

Anyway, you should be able to communicate with your bank in an efficient way (email) when you suspect there is some fraud (write down the essentials of your ID's and email it to your on-line email account).

Electronic gadgets:

The smallest camera with a big enough card and standard batteries.
A battery-recharger (110V and 220V) and some good rechargeable batteries.
To store your digital stuff, a USB-harddisk (take the cable too).
No GPS, unless you are a sailor.
A LED-light that fits the standard batteries.
No I-Pod, you want to have your eyes and ears open. As backup it is a bit expensive.

To update your weblog. Try to configure it to do it by email. It is possible to do it with pictures on the right spot and a nice lay-out with "markup" or things like that. Internet-cafes cost $1 US for half an hour.

Voluminous stuff:

1 pair of good shoes.
1 change of clothes. You can buy 'ropas americanas' everywhere. A pair of shorts is 1$ US. Every hangout-place sells T-shirts with their name on it.
Btw., it is better to dress like the locals.
1 backpack and 1 handbag. (most of the time your backpack will be on top or in the bottom of the bus).

Brain stuff:

Try to learn the language. Read the local paper every day.
Don't take on of those backpacking guides with you. Everybody has them, you can borrow it. Most of the time it is more fun to ask around. Take a language book instead.

Musicians:

For wind instrumentalists, take your mouthpiece with you. A percussionist can take one or two 'eggs' with him, and a bass-player going to Cuba should take strings with him, lots of them.

Don't be in a hurry.
Have a fun trip.

FYI: device manufacturer website: http://vasco.com/

I don't get it...
Why not use something like this:
http://www.vasco.com/products/product.html?product =48&VSID=6d7fc48bd716da9ea9996168a1d6880b
It's a little calculator-like device, which only changes one 6-digit number into another 6-digit number. I don't know the workings behind it, but it's a unique calculation per device, and they're cheap and easy to use.
You just log into a webpage, enter the number on the back or a logincode if the number is registered to a login, input the (changing per page-reload) 6-digit number on the screen onto the calculator, type in the code you receive from the little thing onto the webpage, and you're in.
Anyone who would want to hack the account, would have to have physical access to your particular calculator, know the pass of the calculator, and be able to interpret the numbers on the screen (guess that screenshot-taking malware could do that part). No way any piece of malware could get thru this.
If someone hacks their way into your account with this security thing, You'd have some serious other problems to worry about, like getting rid of that rope around your wrists, tied to the chair you're sitting on with an apple lodged in your mouth :/

Perhaps it'd be interresting if a government could supply these things to their citizens, and have 1 webpage they could do everything on, from filling in their tax forms, to change a home address etc.

The likely candidate is a device like this one, which you carry in your pocket.

It doesn't interface to a computer except by you pressing the button, looking at the number and then typing it into the login screen.

My bank, HSBC, already uses them. I have a red and grey one sitting here on my desk. It's annoying to have to carry it around, but it's not huge, so the main annoyance would be losing it.

By the way, I'm not the only person who thinks these devices are the way it will go. Vasco stock went up 9.36% today.

No it's not RSA securid by the looks of it it's the Vasco Digipass Go 3 see http://www.vasco.com/products/product.html?product =47 Digipass tokens are used in holland by the ABN-AMRO Bank, the Rabobank and a few others Rabobank actualy uses a more advanced version in which you need to insert your smartcard.

http://www.vasco.com/products/product.html?product =48 is what SEB gave me roughly 5 years ago IIRC.
The only thing that bothers me is that I can't have two (one at work, one at home), but that's just a minor bother.

It's the same device, called a Digipass. This is one of the most used. You can also look at a list of a few companies who use these Digipasses.

It's the same device, called a Digipass. This is one of the most used. You can also look at a list of a few companies who use these Digipasses.

In case its still not clear to you, a common form of two-factor authentication is through the use of a small hand-carried device that uses a time-sensitive algorithm to generate a series of numbers. Time senesitive means that this number series changes over time.

In the industry, this is commonly called a "token" and there are multiple vendors that sell them :

RSA Security
ActivCard
Vasco
[etc.]

Typically the "two-factorness" of the authentication is a description of the relative strength of the authentication process. The process itself is one which authenticates users based on several criteria :

• Something you know [passwords]
• Something you have [tokens]
• Something you are [biometrics]

Is this a good thing? Most people say, guardedly, "yes". But only because its better than just merely using passwords.

/Kafka

It's like a bank machine gives you money because you HAVE your bank card and KNOW your pin.

See two-factor authentication devices from RSA SecurID, VASCO, or Secure Computing.

Microsoft has had a tight partnership with RSA for several years. Any word if MS will roll their own?

Sam

What hardware are you using? Is it a Vasco Digipass-like thing?

All of my friends in the Netherlands have this system. (For example, one is called "Digipass" and is created by Vasco, who has a number of clients. They were amused to find out that, generally, one just logs into a bank's website and types a password here in the U.S. By the way, I went to a bank here in the US and asked them if they knew about these little devices. Yup, they said, but they said that Americans didn't want the hassle...

All of my friends in the Netherlands have this system. (For example, one is called "Digipass" and is created by Vasco, who has a number of clients. They were amused to find out that, generally, one just logs into a bank's website and types a password here in the U.S. By the way, I went to a bank here in the US and asked them if they knew about these little devices. Yup, they said, but they said that Americans didn't want the hassle...

Since this is already being moderated up, I want to note that poster is wrong.

The system that the grandparent describes is based on VASCO "Digipass" devices, that work just like the RSA secureid tokens, only that they also support PINs and challenge/response authentication. That means that if everything is done correctly (which I can't swear to) these tokens, which SEB have been using for more than five years, are considerably more secure than the normal RSA SecureID.

Basically (very simplified) your normal SecureID will create a checksum from a secret and the current time, so the server can verify that person logging in is holding the token at this time. The Digipass, on the other hand, creates a checksum of the secret, the time, and the challenge from the server. This verifies that the person logging in has access to the token at this time, and created a checksum for this particular log in. And the fact that it also requires a personalized PIN to access the device means that stealing it will do you little good.

I've been using physical tokens to log on to e-banking for years. Not only that, but tokens that are significantly more secure than securID fobs, in that they support challenge/response and using a PIN to unlock it (two-factor security, and the PIN is only used with the token so it needn't be known at all to the bank).

In fact, most banks are now switching to keypads that you plug your existing bankcard in, so they can piggyback on the tamper-resistant chipcard that's already on there (although it's slightly less advanced than some tokens, since chipcards don't support a clock that's permanently ticking).

Most devices are from Vasco who provide a wide range of tokens (some more secure than others). They even have challenge/response tokens that don't require you to copy the challenge; they have optical sensors that can read out a code that's blipped out by flashing blocks on your screen. Way cooler devices than those RSA securIDs.

There's a virtual (online only) bank here in Poland that has used one-time pads for the last couple of years.

My current bank uses a secure token to protect online access.

vascogate.vasco.com[209.140.121.226]
I am PERPETUALLY (every 15 seconds!) being hit by attempts from this address to use my mail server. They are far worse than any site in Asia. and worst of all, vasco.com is a security related site
VASCO secures the enterprise from the mainframe to the Internet with infrastructure solutions that enable secure e-business and e-commerce, protect sensitive information, and safeguard the identity of users.

Am I the only one being abused by these people? My log files are almost useless because of their entries.
I have sent repeated requests to any address I could think of, and never even received the courtesy of a response.
They are blacklisted on RSS.

It's interesting to check out the URLs of some other Brazilian teams:

www.flamengo.com, although in Portuguese, says it isn't related to the Flamengo team. And they don't seem to have been sued off the net yet.

www.palmeiras.com is simply a link to the www.palmeiras.com.br site.

www.saopaulo.com seems to have nothing to do with the São Paulo team - gee, a chance for another good lawsuit!

www.fluminense.com seems to be taken by the same dudes who took saopaulo.com. Wow, two lawsuits for the price of one!

www.guarani.com shows that there really IS some domain squatting going on with these Brazilian football team names - and no it's not the American Christians who are responsible!

www.botafogo.com is another "unofficial" page - room for another good lawsuit there!

Thunderbear Software Creations, with their www.atletico.com site have a message saying that this URL is not for sale. Still, I think they're gonna need a real good lawyer to keep their URL...

Vasco Data Security (www.vasco.com) should hire a good lawyer, 'coz the Rio based Vasco football could take their URL off them Real Soon Now.

IMHO these Brazilian teams should stick to their .BR domain and not try to take out the top level domain names.

Paul

I have something similar. the device is based on a clock that is synchronized with the bank's clock. it uses that for key generation is some way, it also uses a calculator serial number (programmed in by the bank and unknown to the user) plus you have to enter a PIN
also, when you're going to transfer money you have to enter a checksum + your PIN into the calculator and it generates a key.
IMHO this looks very reliable. you can hammer the code but because it changes every X seconds it's very hard. even if you could sniff the packets (it uses HTTPS) it won't be usable because the code has changed in the time you have found the key you're looking for.
these things are made by Vasco data security, it doesn't seem that hard to implement into your original setup to me.
---