- From: Florian Weimer <fw@deneb.enyo.de>
- Date: Thu, 15 Mar 2007 12:23:42 +0100
- To: Chris Drake <christopher@pobox.com>
- Cc: Jörg Schwenk <joerg.schwenk@rub.de>, "'Dan Schutzer'" <dan.schutzer@fstc.org>, "'James A. Donald'" <jamesd@echeque.com>, <public-usable-authentication@w3.org>
* Chris Drake: > How is this a solution? Giving the man in the middle both the > transaction number, and the answer to the random challenge still > enables him to do whatever he wants (allbeit just "now", as opposed to > anytime he wants "in future"). The response to the challenge is tied to the target bank account number of the bank transfer (which is why the customer needs to enter it on the token). > Are German banks doing anything to help tell the customer that they're > banking on the correct web site, and not some imitation phishing > version? Typically, the customer PC is compromised, so they are at risk even if they visit the right web site. > My guess is that they're not protecting against MiTM at all, and > simply using disposable identifiers to minimize/limit phishing risks > to single-sessions. Uhm, no. MITM is a significant concern.
Received on Thursday, 15 March 2007 11:25:27 UTC