Rogier Mulhuijzen wrote: > I'm surprised that banks use such simple things as passwords. Banks here > in the Netherlands use things like one-time PINs, and challenge/response > stuff that uses your chipped bank card. Seems a little safer to me. Banks use such simple things because they are cost effective, or rather, the cost of doing anything genuinely more effective is so prohibitive that they won't be doing it unless required by legislation or until the cost of the fraud due to not doing it significantly outweighs the cost of doing it properly (I give them about another 3-5 years on that criterion). I'm pleased you like your Dutch bank's OTP cards/toggles/etc but are they really any better than the worthless CitiBank OSK? Sure, they're a lot more expensive and a lot more "high-tech" but unless they are doing end-to-end client and server authentication and strong crypto _AND_ have their own input and output devices that cannot be interfaced from the host OS _AND_ are required for verifying (virtually) every step of every transaction (in other words -- if you have any of the real-world implementations of banking OTP cards used anywhere in the world, the answer is "no"), they are effectively no better than the Citi OSK's as they are trivially MiTM'ed via on-client malware. Your smug belief in the superior security of your OTP card-based system is just as misplaced as that of anyone foolish enough to believe that Citi really ratcheted up the bar with its OSK. Now, imagine you have the choice of being a shareholder in your Dutch bank or Citi and on every other measure these banks rate the same -- Citi is a better deal as it uses less expensive tech to implement the same level of flawed "security" so should produce a better RoI... Now do you see why banks use such simple things as OSK's and your OTP card? Regards, Nick FitzGerald
