OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Statistical Attack Against Virtual Banks
From: HC Security (securitONLINE.NO)
Date: Wed Feb 09 2000 - 02:06:10 CST

> > Here in Norway I don't know of _any_ "virtual bank" which doesn't _at
> > least_ use one-time passwords, or so-called digipasses (the user types his
> > PIN on an small, personal calculator-type device which returns a 6 digit
> > code to use for authentication in the virtual bank - this code expires
> > after 15 min or so).
>
> I don't see why this is better than a PIN, unless it is a separated
>device (with the overhead of the user having to carry this token). In
>addition, if I know how the device generates the code from the PIN, this
>only represents an extra step in the attack.

I was a little quick there. The one-time passwords (numbers) and digipasses
won't appear more secure when it comes to the statistical attack. However,
they drastically improve the security for the individual user as it
prevents or hinder other types of attacks/hacks. Also, each digipass are
hardcoded so they generate the key differently. What's more of a problem is
the banks tendency to choose too short public/private keys (512/40 is common). 

--
Regards,

Snorre Haugnes
HC Security