[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ietf-tls
Subject:    Re: [TLS] HTTPS client-certificate-authentication in browsers
From:       Peter Gutmann <pgut001 () cs ! auckland ! ac ! nz>
Date:       2011-08-02 4:58:13
Message-ID: E1Qo73V-0000Gv-1I () login01 ! fos ! auckland ! ac ! nz
[Download RAW message or body]

"t.petch" <ietfc@btconnect.com> writes:

>Coincidentally, one of the five big UK banks has today, 1st August, announced
>HSBC Secure Key, a hand held card device that turns your PIN into a one-time
>six digit passcode.  No technical details,

It's just a SecurID variant, so no better than the static TANs that the German
banks are abandoning.

>Another of the banks, Barclays, has had PINsentry for a while, which takes
>your PIN and your debit card to generate a 8 digit passcode.

The Barclays device is a Gemalto CAP reader rebranded.  I don't know how
Barclays are using it (<cynic>given the security record of UK banks it'll be
"incorrectly"</cynic>), but if used correctly it's actually phishing-
resistant, you enter the transaction details and it generates a crypto MAC
from them which prevents a MITB attack.

Of course as certain folks from Cambridge have pointed out, you then have to
implement the underlying protocols correctly in order for the whole thing to
be secure, but it's good enough to stop phishers/MITB.

Peter.

[prev in list] [next in list] [prev in thread] [next in thread]