- From: Florian Weimer <fw@deneb.enyo.de>
- Date: Wed, 14 Mar 2007 22:20:32 +0100
- To: Jörg Schwenk <joerg.schwenk@rub.de>
- Cc: "'Dan Schutzer'" <dan.schutzer@fstc.org>, "'Chris Drake'" <christopher@pobox.com>, "'James A. Donald'" <jamesd@echeque.com>, <public-usable-authentication@w3.org>
* Jörg Schwenk: > German banks are currently adopting some kind of "transaction aware OTP" > solution: Customers have to type the target account number together with a > random challenge into an OTP device. This seems to be a good solution > against mitm attacks. It's a good solution against eroding confidence among customers and security professionals. Beyond that, I'm not so sure what will happen. Fraud levels won't change that much, I suppose, and it remains to be seen if the banks can reallocate the resources they currently throw at the problem. After all, all those customer PCs are as easily compromised as before. Anyway, this whole discussion suffers from the major defect that it's rather unscientific: most people who work in the field try to create a feedback loop, making most of their observations of questionable value. And there are very compelling reasons to refrain from discussing many aspects publicly (further eroding confidence being one of them, just look at the half-baked position statement GI e.V. recently published). But even if you've got access to published incidenent information, it should be clear that (a) PKI isn't the solution, (b) browsers cannot solve the problem, (c) operating systems, either, (d) going two-factor doesn't help at all, and (e) among the best defenses is an antiquated banking system which doesn't offer convenient bank transfers to consumers.
Received on Wednesday, 14 March 2007 21:21:59 UTC