W3C home > Mailing lists > Public > public-usable-authentication@w3.org > March 2007

Re: AW: AW: Magic Bullet (proposal for in-browser secure 2-way authentication resistent to online and offline attacks)

From: Florian Weimer <fw@deneb.enyo.de>
Date: Thu, 15 Mar 2007 12:23:42 +0100
To: Chris Drake <christopher@pobox.com>
Cc: Jörg Schwenk <joerg.schwenk@rub.de>, "'Dan Schutzer'" <dan.schutzer@fstc.org>, "'James A. Donald'" <jamesd@echeque.com>, <public-usable-authentication@w3.org>
Message-ID: <87ejnqpx6p.fsf@mid.deneb.enyo.de>

* Chris Drake:

> How is this a solution?  Giving the man in the middle both the
> transaction number, and the answer to the random challenge still
> enables him to do whatever he wants (allbeit just "now", as opposed to
> anytime he wants "in future").

The response to the challenge is tied to the target bank account
number of the bank transfer (which is why the customer needs to enter
it on the token).

> Are German banks doing anything to help tell the customer that they're
> banking on the correct web site, and not some imitation phishing
> version?

Typically, the customer PC is compromised, so they are at risk even if
they visit the right web site.

> My guess is that they're not protecting against MiTM at all, and
> simply using disposable identifiers to minimize/limit phishing risks
> to single-sessions.

Uhm, no.  MITM is a significant concern.
Received on Thursday, 15 March 2007 11:25:27 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:34:14 GMT