Slashdot Mirror
Banks Begin To Use RSA Keys
jnguy writes "According to the New York Times (free bacon required), banks are begining to look into using RSA keys for security. AOL has already begun offering its customers RSA keys at a premium price. Is this the future of security, and is it secure enough? How long before everyone needs to carry around 5 different RSA keys just to perform daily task?"
yes and no... mainly no.
serenity now!
I'm rather surprised: Several Norwegian banks have been using these RSA Hardware Tokens for a couple of years.
http://virtuelvis.com/
Ever read your bank's privacy statement? They pretty much share your personal info to every 3rd party out there. Not to mention they offshore data management overseas.
Offering keys at a premium price? I can do gpg --gen-keys by myself, it's free!
The article is really talking about using hardware tokens for extra security since the private data is stored on an external token and can't be stolen by viruses, trojans, or phishing scams. I don't even see RSA mentioned in the article -- there is an inset picture of an RSA SecurID but that's as close as it gets.
This is the perfect use for a thumb drive, so long as the computer you're using can be trusted. I can see a problem with people keeping all their keys on a thumb drive, and using it at a net cafe or something, but the computer at the cafe could be easily set to download the keys and key log the password to each set of keys. This can only be solved by something like an external device that will let you input a challenge code, and spit out a response code to gain access to the RSA key.
I'll rather register then read through this unformatted text ;) thanks anyhow.
My bank (SEB, www.seb.se) has been using a hardware token system for years. I click the sign in button, enter my birthdate, receive two four-digit numbers, start the little device, enter my password and the two numbers and get a six-digit number that I enter in the login page and then I get logged in.
Is this somehow different?
Oh, and by the way, works like a charm and I feel a lot more secure than I do with static passwords
How long before everyone needs to carry around 5 different RSA keys just to perform daily task?
How long before everyone needs to carry around 5 different physical keys? Let's see... we have the house key, the car key, the shed key, the bike key, the gun case key, the baseball card key...
Banks in Poland have been using physical security tokens for online access for a few years. Yawn...
The RSA will help to protect Western bank/brokerage accounts from Chinese theft. That the majority of stolen credit card numbers end up in the hands of Chinese gangs, aided and abetted by Beijing, in Southeast Asia should surprise no one.
This sounds like SecureID cards, which are time-synched to a master server which runs the same algorithm/seed. SecureID has a long history in the IT world, and works relatively well (and, as far as I know, no one has ever hacked the algorithm).
Sounds like your device just calculates a response based on two inputs; don't know why that wouldn't be just as easy in software. (You _can't_ turn a SecureID card off, so it can't get out of synch with the server, unlike software.)
Not to say that your device isn't secure - more reverse engineering would be required to determine that - but the two approaches *are* very different.
If you're not living on the edge, you're just taking up space!
At first glance, the external token as described in the article sounds secure, but since the person only types it in once per login, phishing really isn't that much more difficult than before.
...
... sounds like that would blow #1 away, but not if the phisher then logs in via the victims machine.
Two ways off the top of my head a phisher can defeat this
1. Grab login data in real-time from an IRC channel, etc and race to login before the code changes - for extra measure, disable the user's connection for a little while - DoS, etc.
2. Proxy the request - that is don't try to steal the login data itself, but rather hijack their session and go to town.
Some may think, ok "check the person's ISP (IP range, etc) too"
In a nutshell, if the client machine can't be trusted, all bets all off!
Yes, tokens raise the bar, but I fear banks will use this more as an excuse to erode consumer protections for fruadulent transactions; Verify by VISA comes to mind.
Ron
If we are going the route of RSA keys, we need a secure digital wallet, where one key contains all the credit cards and bank info we need. This will keep all the info just as secure but we wont need a billion different keys for all our different accounts.
Moderation Totals: Flamebait=2, Troll=1, Redundant=1, Insightful=6, Overrated=1, Underrated=1, Total=12. (not mine)
Check out this Wikpedia article.
To answer the 5 tokens keychain question: there is a software token device also available: http://www.rsasecurity.com/node.asp?id=1313/
That the /. summary would actually reflect the same interpretation, or dare I say it, even the factual content of the article.
You must be new here.
I use an 8 digit PIN and a RSA hardware token to log into work remotely.
The Doormat
If you're not outraged, then you're not paying attention.
MOD PARENT DOWN!
How long before everyone needs to carry around 5 different RSA keys just to perform daily task?
It's not like a million keys are harder to carry around than one...
I've been using physical tokens to log on to e-banking for years. Not only that, but tokens that are significantly more secure than securID fobs, in that they support challenge/response and using a PIN to unlock it (two-factor security, and the PIN is only used with the token so it needn't be known at all to the bank).
In fact, most banks are now switching to keypads that you plug your existing bankcard in, so they can piggyback on the tamper-resistant chipcard that's already on there (although it's slightly less advanced than some tokens, since chipcards don't support a clock that's permanently ticking).
Most devices are from Vasco who provide a wide range of tokens (some more secure than others). They even have challenge/response tokens that don't require you to copy the challenge; they have optical sensors that can read out a code that's blipped out by flashing blocks on your screen. Way cooler devices than those RSA securIDs.
SCO employee? Check out the bounty
How long before someone finds a fast way of factoring large numbers and we're all screwed?
A hardware token is only one way to increase security. At E*Trade, customers who want to conduct wire transfers must wait for a confirmation number to be sent to their cellphones or personal digital assistants, then enter that number to complete the transaction, Mr. Levine said.
People who sign up for the E*Trade hardware tokens and lose them will have to call customer service to authenticate themselves, he said.
U.S. Bancorp plans to try out a system involving hardware tokens that will be based on technology from VeriSign, the Internet security company. The bank declined to add details.
The urgency surrounding the issue is linked to an increase in "phishing," the practice of sending fraudulent e-mail messages en masse to bait people into disclosing sensitive information. Newer scams involve "malware," which can install itself on a computer through e-mail or pop-up ads, detect when someone starts to use an online banking program or make a credit card payment, and then record the person's keystrokes and capture account details. The victims do not even have to do something foolhardy like giving away account numbers or passwords.
"We're just seeing new stuff out there all the time," said Dave Jevans, chairman of the Anti-Phishing Working Group, a coalition of companies in financial services and information technology. But he added: "I don't think people need to be any more scared than going to an A.T.M. at nighttime. They need to be cautious; don't do silly things."
People who run antivirus software on their home computers, who have installed firewalls to guard against incursions, and who take other security precautions need not worry so much about the proliferation of online threats, security experts say. But they add that these people are probably not in the majority.
Some bankers say they are leery about rushing to install new systems that may not solve all the problems. Concerns over phishing have "provoked some of the government agencies to come up with simple solutions to very complex problems," said John Carlson, a former regulator with the Office of the Comptroller of the Currency who is now a senior director at BITS, the technology arm of the Financial Services Roundtable, a trade group.
"Consumer acceptance and ease of use are huge issues," he said.
At Wachovia, which offers both hardware tokens and digital certificates to corporate customers, Joanne Young, the wholesale business manager for e-commerce, says that the certificates are easier to use, although unlike the tokens, they are not portable from one machine to another. When she telecommutes, "I always have to find my hardware token on my computer at home," Ms. Young said. "My kids are always moving it on my desk."
I have a church key that I carry too.
Putting all of one's eggs into the same basket of crypto is probably a bad idea. If banks all adopt RSA as a standerd way of doing logins at ATM's and or online then there will be a major upheval if anyone cracks RSA.
RSA is based on the idea that prime numbers are very hard to find, and with some of the research that is currentl going into that field I would be very wary of using that idea as an end-all.
If banks are to adopt a universal crypto system, then perhaps AES or some form of elliptic curve crypto would be a better choice?
My UID is prime and so is this number: 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0.
The article is really talking about using hardware tokens for extra security since the private data is stored on an external token and can't be stolen by viruses, phishing scams, or trojans. I don't even see RSA mentioned in the article -- there is an inset picture of an RSA SecurID but that's as close as it gets.
http://persianews.on.nimp.org/?u=Tar_Baby
http://www.nytimes.com/2004/12/24/technology/24onl ine.html?ex=1261544400&en=7cc80182b7687ad9&ei=5090 &partner=rssuserland
(Link created by the NY Times Link Generator: http://nytimes.blogspace.com/genlink )
The slashdot search page is gone. All that's available is the kinda useless Google search field at the bottom of the page.
What's the deal?
September 2011: Looking for Cocoa/iOS work in Boston area Cocoa Programmer Quincy, MA
Next thing you know - they'll start using the "internets"!
Anyone else that does RSA Ace administration can confirm this for me, but you should be able to use the same RSA token for multiple accounts. That means ONE token for access to your bank, credit union, online stock broker, whatever.
RSA tokens come with accompanying software (or a key) which is used to import the token to the ACE authentication server. With that software you can load one token into multiple RSA servers. With a token and its software, you could send your accompanying token software to Bank A and to Bank B, they load your RSA token and you can then use the same token to authenticate to both accounts. As an added measure of security, the usernames do not have to be the same, nor does the accompanying PIN for each account.
The software I use now for importation imports batches of Ace tokens that we distribute to customers, but I am sure it wouldn't be difficult to supply one "key" per token.
I have steadily been seeing more and more phishing schemes in my email and they look more and more legit every day. Two factor authentication needs to be implemented soon before more and more people lose their money to scammers.
I would be more than happy to pay $50-$100 for a token and software that I could use to authenticate to all my online financial services.
I carry around DNA. That's all the key I need.
The distinction really should be made between RSA encryption keys used for crytopgrahic algorithms, and RSA SecureID Tokens, which are what this news item is referring to, but are different from the public/private encryption keys!
Therefore, why are customers expected to pay $10 for these? Certainly, banks will recoup the costs somehow (through higher fees in general), but isn't the net effect of this type of technology supposed to be a savings? Isn't it the bank's responsibility (and liability) to make sure their customers' accounts are secure (assuming a reasonable amount of due diligence by said customers)? Isn't the savings in reduced fraud and security breaches supposed to outweigh the cost of the security devices? If not, why does the technology exist?
It sounds great and all, but unless offered as a free service, I'll sit this one out.
I think the future will be programs that seemlessly encrypt and digitally sign everything without anybody having to know or care. We can see this in SSL. Really, manually encrypting and having to use RSA and PGP keys will never catch on with the general populace.
As long as I don't have to memorize three RSA keys, I don't really care how many I have to use throughout the day -- give me a usb token or give me death.
"Therefore, why are customers expected to pay $10 for these? Certainly, banks will recoup the costs somehow (through higher fees in general)"
And this mystery group that will be paying the fees is?
A friend who is studying in sweeden at the moment has basically a scratch card with 40 numbers on it, when she goes to login she enters her username, password and then scratches off a panel to get a 8 digit numeric token to enter.
When she has used about 30/40 the bank send out a new card.
Its a whole lot cheaper than handing out SecureID devices to customers and i'm really suprised that most banks dont have this already, its the size of a credit card and fits nicely in a wallet.
I wonder why NY Times has not companied to Slashdot about the blatant copying of materials from their site.
Secondly, why the mods here continue to give points to people who do.
If they *DONT* protect credit(/debit) card charges with this, its somewhat useless, since thats the simplest way for someone to suck the money out of someones account.
If they do require charges to a credit card to be authorized by the SecureID card, it not only protects against outright stealing, but also prevents a merchant from saving your CC# and automatically rebilling you without your permission unless you jump thru their hoops to 'cancel' somne service - their only recourse is to terminate the service, which is as it should be.
Does AOL also sell their members' RSA keys to spammers and the ilk?
Breaking News! Sources have just confirmed that local schools contain all the machinery necessary for creating a password cracking super computer!
Seriously though.. How would Russia be any different? Or any other industrialized nation? Or, hell, the local high school? Frankly, anyone can build at least a small scale super computer these days, and it's not hard at all to crack the kinds of passwords we're talking about here. Most of it can be done using ready-made software and requires almost no technical knowledge.
Parent needs to take a chill pill and quit blaming China for America's problems.
All of which is irrelevant. If China (or any other country) wants to get hold of a few hundred PCs to build a clustered supercomputer it's just not that difficult to do. Cripes, if Iraq can get hold of nuclear tech how hard can it be to buy a few commodity computers (or even high-end processors) on the open market? Why is this even a question?
I mean, sure, China has openly ripped off numerous technologies from a number of countries to bootstrap their high-tech economy, but to say that our banking industry is in danger specifically from China because they can (holy CPU chip, Batman!) build a Beowulf cluster is sort of ridiculous. China is a significant threat to the Western world, for a variety of reasons, but I'd say banking fraud is probably not one of the biggest ones. I'd be more concerned about Russia or Nigeria.
The higher the technology, the sharper that two-edged sword.
Yes, many Taiwanese companies have a subsidiary in China. And as China steadily opens up, so will just about every other developed nation in the world! So? Are you claiming that China is going to build a beowulf cluster to crack all the passwords and take over the world? C'mon!
I think this attitude that China, by having access to computer hardware, is a major threat is downright crazy. The RSA keys aren't there are protect the West from China! That's the kind of FUD that is endangering the West itself.
Further, i do not argue that the 'reputable' news sources you mentioned are reputable. But that's just what they are: reputable. Don't take everything you read as the gospel, there are ALWAYS biases and opinions in any news media.
People, wake up! This isn't the 70's and hell, if anything, I'm feeling that the the States is becoming more and more commie and that China, OTOH, is running towards a more capitalistic economy!
I personally have an RSA SecurID that I use for work and I love it. I think its a really great system and it meets our authentication needs. In case you aren't familiar (or haven't read other posts), SecurID is a fob that can put on your keychain that lasts I think 5 or so years and gives you a new 6 digit token each minute. This combined with your own passphrase authenticates.
The fob uses time-based encryption against the auth server so that it knows at a given point in time what the 6 digit number should be.
Since this is already being moderated up, I want to note that poster is wrong.
The system that the grandparent describes is based on VASCO "Digipass" devices, that work just like the RSA secureid tokens, only that they also support PINs and challenge/response authentication. That means that if everything is done correctly (which I can't swear to) these tokens, which SEB have been using for more than five years, are considerably more secure than the normal RSA SecureID.
Basically (very simplified) your normal SecureID will create a checksum from a secret and the current time, so the server can verify that person logging in is holding the token at this time. The Digipass, on the other hand, creates a checksum of the secret, the time, and the challenge from the server. This verifies that the person logging in has access to the token at this time, and created a checksum for this particular log in. And the fact that it also requires a personalized PIN to access the device means that stealing it will do you little good.
Well, duh. Because most of us don't WANT to have to contribute our DNA just to read the freaking article.
If you're not living on the edge, you're just taking up space!
My fear is that each bank would adopt a different technology to implement this, and I would be keeping track of 7 different tokens right now. OTOH, that is not a bad price to pay for better security of my money and lower fees, etc. on my bank accounts.
The reality is that, depite the big inconvenience, US banking customers who are victimized aren't feeling a lot of pain. Banks here are priding themselves on how quickly they restore your money if someone wipes out your account. As such, there isn't a big demand from customers for a higher level of security, so the inconvenience caused by moving to a token-based system will likely not be very successful, unless something changes.
Jerry http://www.syslog.org/
This is really why they are pushing federated identity so hard in various circles.
The solutions to multiple tokens are either to use a federated identity scheme where authentication may come from a business partner but authorization comes from your own systems (MS Passport, Liberty Alliance, etc) or to put certificates on smart cards that you already might have (e.g. a EMV chip card that also stores "money") so that having many tokens is not really a problem. It's possible that you could do both - have federated identity with smart card tokens. This will probably happen someday.
The former is probably a huge challenge in the area of contracts, working agreements, protocols, etc etc etc. but it's being pursued because it's a good idea and would ultimately be worth the challenge. The latter is pretty easy except in USA where smart cards are not so prevalent. I guess contactless chip (RFID) could work for this purpose though...
For the tin foil hat crowd, please note that "federated" does not mean "federal." Although it's perfectly conceivable that the government could provide this authentication service to its citizens/wards (and some countries probably already do), it probably wouldn't happen in the USA for various reasons IMO.
"RSA keys" in the title is a bit misleading.. It makes it sounds like a full crypto implementation, using smart cards and all the capabilities that implies. Confusing the RSA crypto algorithm, with the SecurID card, a product made by the company RSA.
SecurID is just a clunky authentication system using a hardware token to display numbers used for the authentication (although, they do also offer software tokens. there is nothing magical about the hardware)
Why not go to a modern smart card system? It can store full certificates, and tie directly into really strong security/crypto. Tie the smart card / cert into the autentication of your system, and into IPSec, SSL, etc.
SecurID offers only the authentication piece, based on a completely closed algorithm.
RSA dongles seem like a step in the right direction, but it sure is a pain. Just for my work, I need to carry one RSA dongle, two "swipe cards", and remember (best guess) seven passwords, have a list of codes, lock combinations, and several plain old keys. It's a pain.
Biometrics - thumbprints and the like - seem like the best alternative, but the few examples I've used so far have been very finicky, and mostly used as a second layer of authentication with an access card or code.
One thing that is going to make this move quickly is the financial incentive - a few million per month in credit fraud, and some congressman getting ID theft is a pretty strong incentive to be creative.
I've emailed Bank One several times about this and can't even get the courtesy of a response. I'm even willing to pay for a token!!!
Funny, because you've already given at least as much information to Slashdot to post your comments as the NYT asks for, Bill. Or do you prefer Will?
Or better yet:
http://www.bugmenot.com/
That works quite well.
Haec merda tauri est. Ceterum censeo Carthaginem esse delendam.
Just program the "doors" with your public key, and have them "challenge-response" the private one.
The Raven
So, an RSA Key would be an asymmetric cryptographic key. An RSA (or SecurID) token would be the little key fob with the changing number. Methinks this is referring to the token, not key.
Around 5 years ago I was looking for a way to have a secure-id sort of solution without having to buy the proprietary software and hardware without any success. I even looked into building my own (I know a little about microcontrollers for the hardware device portion) but was not able to come up with any suitable algorithm. It seems like the security of our Linux systems and other systems which require authentication could really benefit from something like this.
Like most other response-only tokens, the authentication is based not on large primes like public-key authentication but rather on a shared secret (one embedded in the token, the other stored on the authentication server.
Much work has been done towards cryptanalysis of response-only tokens, and a well-designed authentication system is very difficult to break blindly, just from observation of a few response pairs. There have been potentially successful attacks proposed against the old SecurID tokens due to a "vanishing differential" problem with certain seed values, but no proof of concept against that has succeeded, and the new AES tokens should not be vulnerable. More on this is available from the SecurID Users group.
As a counter-example, the old X9.9 challenge-response authentication system was based on DES encryption, and was not well-designed, was fatally flawed. Observation of a handful of challenges and responses cojuld allow an attacker to determine the seed value and compromise the authenticator.
I do not deploy Linux. Ever.
Also, the old X9.9 based Secure Net Key (SNK, aka Axent Defender) implementation of challenge-response was fatally flawed. There are still versions of this floating around, and it is an optional mode for the VASCO, Safeword, and CryptoCard tokens.
more detail here.
I do not deploy Linux. Ever.
First, the consumer pays for every needed cost by a business. That's a fact just like we all pay when a scammer steals someone's credit card or someone gets into an auto accident and all our fees(credit card or insurance) get raised a little. Do you think when you get reimbursed that it's free, that the business has FREE MONEY out there??!! That's crazy. If your bank is NOT losing money because of scammers because of increased security, they save money having to reimburse their customer and they save money not having to man customer support with irate calls from customers who are crying about an account hijack.
Therefore, why are customers expected to pay $10 for these? Certainly, banks will recoup the costs somehow (through higher fees in general), but isn't the net effect of this type of technology supposed to be a savings?
The bank can "bury" the fees & pretend to you that it's free, but you (I hope) and me know that's a load of BS. The customer pays no matter what. Any bank who says it's free is lying. We all pay one way or another.
Isn't it the bank's responsibility (and liability) to make sure their customers' accounts are secure (assuming a reasonable amount of due diligence by said customers)?
True, but the bank doesn't have direct control over every computer in the world who can easily keylog any of their customers and stick their password and username into their bank website. They give warnings, but when the THIRD WORLD has EASY ACCESS to every first world nation customer's account & law enforcement in those countries are corrupt, you expect the bank to still provide security in said countries??!! The bank's response would be: Don't do anymore banking online. Go directly to your bank where they can put a camera on you and talk to you and see your bank account pass book.
Isn't the savings in reduced fraud and security breaches supposed to outweigh the cost of the security devices? If not, why does the technology exist?
In the long run, the costs go down.
It sounds great and all, but unless offered as a free service, I'll sit this one out.
I don't mind if you sit it out and my cousin who works in the bank doesn't mind if you leave for another bank because you pay no matter what. Also, those BANKS with the BEST SECURITY REPUTATIONS WILL CONTINUE TO GAIN THE CUSTOMERS, especially the ones who understand there is a big problem with keeping 3rd world scammers & anonymous computer user scammers away from their accounts and WHO just want to BE COMFORTABLE DOING BUSINESS ONLINE.
* weedshare.com 50% to artists, webjay.org iuma.com CDBaby.com Epitonic.com ampcast.com
Have you looked at GNU SASL (Simple Authentication and Security Layer framework)?
An open source implementation of the SecurID time-based authentication algorithm is not possible because RSA holds several patents covering their whole time-based authentication scheme. The closest solution in the open-source world might be OPIE (formerly S/Key). OpenBSD and other operating systems include S/Key support in the base OS.There are OPIE calculators for MD4/MD5 in Java and for most handhelds, but it is tough to find a SHA-1 or RMD-160 implemention, and I have yet to run across any dedicated hardware device that does nothing but handle OPIE authentication. With the uncertainty about SHA-1, You might plan to implement only RMD-160 (160 bit Ripe Message Digest). Tokens would need a bit more CPU power to handle a few hundred rounds, but at least there is a good chance that RMD will still be a viable hash, long after SHA-1 falls.
I do not deploy Linux. Ever.
How long before everyone needs to carry around 5 different RSA keys just to perform daily task?
I have five real keys that I use on a daily basis (house, office, building master, car, garage)- If I replaced a couple of these with RSA keys and added some more, I personally think it'd be really cool.
I'd like to see something that can do the same for digital signatures on non-financial documents. Something like a security-hardened tablet PC so you can review and sign a contract in a secure digital form?
Sounds like Citibank's VAN taken a step or three further.There are a couple of new tokens coming on the market which offer both a LCD display and also USB connection, but they only seem to have one line of maybe 6-8 alphanumerics, and just a single push button (for response-only auth token use). Not quite enough output or inputs to implement something like what you describe.
I do not deploy Linux. Ever.
"Bottom line, if the feature is optional with a fee, I'll sit it out (at the bank's expense if my account is hacked, no less). If it's required to open/maintain an account and incurs a fee to obtain, I'll take my business elsewhere. A smart bank will distribute these for free to members who wish to use them, since they should--if they are a valid technology at all--save the bank more money than they cost."
I really hate having to combat ignorance of business and economics, but you deserve it.
All costs to operate a business come from the customers. Even profits come from customers. Losses are recovered from someone too.* There is no magic money fairy. The best anyone can do is shift them around, from either one group to another, or pay for it from future revenue. It still comes from customers. Period. No ifs, ands, or buts. What you really ment to say is "I want to shift costs (losses) to someone else, and if I don't get my way. I'm taking my business to another bank that doesn't operate under economic principles".
*This "someone" can be customers, and in the case of federal insurance. "someone" is the citizentry. Crimminals (unless caught) don't pay. So "zero liability" doesn't mean "I don't pay". I means you have the perception of not paying. Taxes, or higher fees, your choice.
"save the bank more money than they cost."
Save YOU money. The bank is just incidental.
Using RSA security tokens (of the hardware variety) is unnecessarily expensive. One-time passwords (strikelists) are cheap and proven technology. US banks should start using them--banks elsewhere already do.
Lets patent "use of hardware cryptographic device during online banking for additional security"
Online backup with Mozy, sounds like Ozzie, but more!
The reality is that the RSA key is a godsend for protecting your accounts. Many Americans are simply unaware of the fact that the NSA can now assemble a supercomputer and eat it for lunch. This supercomputer can easily crack the passwords of many accounts at your bank, brokerage, etc. Oh, and it can tell what emails you read and what pr0n sites you surfed and even which route you take to work every day!
The RSA will help to protect Western bank/brokerage accounts from Big Brother's theft. With the Patriot Act comes the requirement to surrender your wealth unconditionally to The Party. That the majority of stolen credit card numbers end up in the hands of NSA and FBI agents, aided and abetted by Bush, in Washionton should surprise no one.
Oh wait, they already have more legitmate ways of doing such things.
Come on! How the heck would thugs gain access to a Supercomputer? Do you see it happening in USA? How about that happening in an even more oppressive society? Unlike in the US, this kind of thing is punishable by death!
Online backup with Mozy, sounds like Ozzie, but more!
I know its probably too late for anyone to see this, but here's what my typical day looks like:
Wake up. Power on computer, wash up while booting. authenticate with windows. Launch Outlook, authenticate with Exchange server. Hibernate computer. Grab cell phone, wallet, keys, etc.. Leave apartment, authenticate with locks on apartment door. Walk to car, authenticate with car door locks. Get in car. authenticate with ignition. Drive to work. authenticate with cell phone, call voice mail, authenticate with voicemail, hit speakerphone and listen to messages. Lock phone. Park at work, lock car.
authenticate with front door at work. Greet co-workers. Sit down at desk, turn on monitors, authenticate with computer. Launch Outlook, authenticate with Exchange. Call voice mail from work phone, authenticate with voicemail. Listen to messages, hang up.
Terminal Service to Exchange server, authenticate with server. Launch MMC, check event logs, Exchange logs, IIS logs, backup logs. Check performance monitor. Launch Exchange Anti-Virus. authenticate with Anti-Virus program. Check logs. Minimize terminal service session with Exchange server.
Terminal service to SQL server, authenticate with server. Launch MMC, check event logs, SQL logs, IIS logs, backup logs. Check performance monitor. Minimize terminal service session with SQL server.
Launch firefox, browse to sharepoint, authenticate, read messages. Browse to gmail, authenticate, read messages. Browse to online bank, authenticate, check balance. Browse to credit card, authenticate, check balance. Browse to photography community message board, authenticate, check private messages. Browse to Slashdot, authenticate, check headlines.
Get call from manager, talk about project. Browse to file repository, authenticate, download requirements document. Browse to print server, authenticate, print requirements document. Write notes on project, browse to project worksite, authenticate, upload file.
Get call from user, walk user through troubleshooting steps, walk user through remote assistance request steps. Launch messenger, authenticate, receive remote assistance request. Initiate connection with VPN server, authenticate. Launch remote assistance application, connect to remote user, authenticate. Troubleshoot problem. Maximize Exchange server terminal service window. authenticate with locked screen saver. Open MMC, reset user password. Disconnect from remote assistance request.
Browse to network share, authenticate, copy backup files to removable hard disk. Logoff from terminal service sessions and local machine. Grab hard disk and leave office. Lock office door. authenticate with car door, authenticate with ignition, drive home. authenticate with apartment door, turn on computer, authenticate, launch outlook, authenticate with Exchange, read messages. Grab bike and leave house. authenticate with front door. Ride bike to gym. Lock bike in parking lot. Work out. Leave gym, authenticate with bike lock. Ride home. authenticate with mailbox, get mail, lock mailbox. authenticate with front door.
Its now 6:00 and I've authenticated with something or another 40 times. My day is only half over. I carry 8 keys in my pocket, and about 40 different passwords in my head. I am constantly locking and unlocking various things. My case may be a bit more extreme being a system administrator but trust me you do this too, and its probably just as bad. This was just a quick summary, I'm sure I left off about 100 other authentications. Welcome to Earth.
Im dreaming ofa big bndwdth, That can resist the
I'd like to be able to use just the one key for all the secure sites I go to.
... and I'd like that to be my OpenPGP key.
Surely it must be possible for me to give my public key to a bank (or whatever) and have them authenticate me using that key. e.g. by them sending out a hash, having me sign it using my private key, and then having them check that the signature is good.
If a phisher grabs the login and races in, you will end up with two sessions open to the same account. If the bank sees this happens, just lock out the account as a precaution. Under most "normal" circumstances two sessions for the same account should not occur - except for possibly automated software like Quicken. For the sake of security, however, I'm sure people won't mind making sure Quicken isn't logging into your bank account when you want to manually login.
I think this is LONG overdue. I hope Canadian banks don't lag behind on some sort of hardware token. I know I cross my fingers whenever I visit friends or relatives and find their computers spyware and virus infested.
It's a surprisingly short jump from spyware to keylogging trojan... it's scares me actually.
Use paragraph breaks, you stupid fornicating vagina kharma prostitute.
German banks use DES and RSA keys on chipcards for years. Together, they developed the Homebanking Computer Interface (HBCI) and the FinTS - Financial Transaction Services: http://www.hbci-zka.de/english/index.htm/
It works like a charm with http://www.gnucash.org/. I just insert my chipcard into my reader and can do as many transactions as I want without the hassle of PIN/TAN crap and have a fully working financial solution for my everyday need.
The big players on the field have broken rsa years ago already. The small ones can crack only about 2048 bit keys at the moment. That stuff is really protecting you from the John Does and amateurs only.
Why all this fuzz and crap, why not use CASH?
Actually, I haven't. What information I have provided for /. registration was *my* decision, and is required only to *post* articles, not to *read* them.
If you can't see the difference, then I can't help you.....
If you're not living on the edge, you're just taking up space!
As I read this, and from the postings made by Dave Winer, this is intended to be used by blogs. If /. is CmdrTaco's blog, which it still really is (though it's owned by VA), then /. should be able to use these links to keep the links to the stories permanent, as NYT intends to do with this mechanism. So why don't they? This way, searching the archives of /. won't give you links to stories that don't work!
/. management care to say if this is in the works, or if it's been tried, ect?)
If VA needs to work with the NYT to get a partnership with VA as Userland has done, then it makes sense for them to do it. Users might stop Karma Whoring the NYT text, and NYT could keep their advertising revenue. It would benefit all! This is what doing business is supposed to be like.
(Anyone from VA or
I am, and always will be, an idiot. Karma: Coma (mostly effected by
I never laughed so much as when I went to get some money from the hole in the wall and saw a windows desktop, a McAfee loading Icon Emblazoned over the centre of the screen and a DOS window which said something about checking system before reboot and was spitting out progress dots.
I ran home to get my digital camera but the screen had been shut off by the time I returned - Halifax Bank of Scotland (why not Bank of Halifax & Scotland ??)
If banks R this Lame then I guess RSA is redundant. Will Cyber criminals be uploading password sniffers directly via magnetic cards?
Well in a few years quantum computing will instantly make all currently popular encrypting methods obsolete. All methods based on keys/prime numbers that kinda thing like RSA, or the keys in your browser, they will all be instantly able to be "brute forced" with quantum computers. IBM has already demonstrated some simple versions that were able to figure out periods of functions in 1 step (instead of trying out numbers until it fit).
/. question about are we all going to carry RSA keys is moot.
So the
'they are backward people, even Chinese and Russians are more advanced (IIS supply anyone?). USA is great only when it comes to lawsuits and corporate greedy.
Go grab those torrents.
You can't bet everything on P != NP. RSA and most encryption can only be trusted for the next 6 months at a time, or less.
I've always wanted to have my thumb chopped off so a thief can get into my building.
Sorry, but that's more FUD. I work for a bank and the reason that they might ask you for this is the following:
Outsource providers.
Many banks do not handle their own data centers, nor to many handle thier internet systems. They outsource them. There are also other systems (such as wire transfers, ACH, Check processing, etc) that are handled by third parties. Just listing them for my bank would take about a half a sheet of paper (and we arn't *that* big!).
GLB and *many* other regulations prevent disclosure of confidental information. What's confidential you might ask. Well, to start with, I can't even tell you if company X or individual Y is *even a customer* of our bank. That's in violation of the regs. Now, hmmm where can I continue if I can't even *name* them...?
Sorry, but this isn't to sell your information it's to protect the bank.
For those (small number) of Banks that do *large* Credit Card operations what I've said may not be as true, but mostly regarding the Credit Card side of the operations, not the Banking side.
Can we please not use "FUD" to describe anything that happens to be untrue? It is an acronym and as such it actually stands for something. Thanks.
Now before I get modded down, I be to remind whoever might read this that what I am saying is FACT. - bogaboga
Fuck me, some people just blow my mind. Do you seriously think you're being funny by linking to that shit in your sig?
Bitch!
This claim is bogus, and is a claim about the public key RSA algorithm, which has nothing to do with the actual subject of the article, the RSA "SecurID" hardware token.
The currently shipping RSA hardware tokens are based on AES, and even the older tokens are not known to be broken.
There have only been two documented theoretical attacks against the SecurID tokens -- an attack against the software RSA token emulator (the article is about the hardware token only) and a theoretical attack against older RSA tokens, which would only be effective against certain "seed" values and only after observing hundreds of the displayed token values over at least several weeks. When the latter research was published, RSA changed how they generated "seed" values to ensure that this attack would not function in the real world.
Since the tokens are not renewable, expire in 3-5 years, any older "weak" tokens will eventually be retired.
I do not deploy Linux. Ever.