German banks are currently adopting some kind of "transaction aware OTP" solution: Customers have to type the target account number together with a random challenge into an OTP device. This seems to be a good solution against mitm attacks. Joerg -----Ursprüngliche Nachricht----- Von: Florian Weimer [mailto:fw@deneb.enyo.de] Gesendet: Dienstag, 13. März 2007 10:49 An: Dan Schutzer Cc: 'Chris Drake'; 'Jörg Schwenk'; 'James A. Donald'; public-usable-authentication@w3.org Betreff: Re: AW: Magic Bullet (proposal for in-browser secure 2-way authentication resistent to online and offline attacks) * Dan Schutzer: > One time passwords are susceptible to real time man in the middle > attacks You don't even need real-time attacks, you just block every other transaction, claiming that the password has already been used, and have the Trojan horse send you those unused passwords. That's why it's interesting to tie one-time passwords to particular transactions. There are very complex trade-offs involved, and the whole thing is a topic of ongoing research, on both sides. > Cookies can be insecure if they store sensitive information in the clear A lot of sensitive cookies are insecure because they aren't restricted to HTTPS. 8-(
This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:34:14 GMT