http://www.engadget.com/2007/05/01/verisign-set-to-offer-one-time-use-passwords-on-bank-cards/ Engadget Comments for VeriSign set to offer one-time use passwords on bank cards http://www.engadget.com/media/feedlogo.gif http://www.engadget.com en-us Copyright 2012 Weblogs, Inc. The contents of this feed are available for non-commercial use only. Blogsmith http://www.blogsmith.com/http://www.engadget.com/2007/05/01/verisign-set-to-offer-one-time-use-passwords-on-bank-cards/http://www.engadget.com/2007/05/01/verisign-set-to-offer-one-time-use-passwords-on-bank-cards/May 1st 2007 4:48PMhttp://www.engadget.com/2007/05/01/verisign-set-to-offer-one-time-use-passwords-on-bank-cards/http://www.engadget.com/2007/05/01/verisign-set-to-offer-one-time-use-passwords-on-bank-cards/
I happen to like capitalism. If I want it, I'll buy it. If I don't, I won't. The consumer is king.

Not sure I'd need it, but very cool nonetheless.]]>May 1st 2007 4:58PMhttp://www.engadget.com/2007/05/01/verisign-set-to-offer-one-time-use-passwords-on-bank-cards/http://www.engadget.com/2007/05/01/verisign-set-to-offer-one-time-use-passwords-on-bank-cards/May 1st 2007 5:15PMhttp://www.engadget.com/2007/05/01/verisign-set-to-offer-one-time-use-passwords-on-bank-cards/http://www.engadget.com/2007/05/01/verisign-set-to-offer-one-time-use-passwords-on-bank-cards/
Where don't you see the poor and underrepresented marginalized to the point where they don't even exist to society, yet industries and businesses that aren't even struggling get billion-dollar ballouts and tax breaks/credits/loopholes/havens "just because". Where in this government don't you see the government moving in anticipation of corporate interests and desires? And the same officials that draft and sign these policies eventually go on to be lobbyists for those same industries. This is just barely skimming the surface. I could go on but I can see I already shattered your fictional fairytale reality with my 1st post.]]>May 1st 2007 5:56PMhttp://www.engadget.com/2007/05/01/verisign-set-to-offer-one-time-use-passwords-on-bank-cards/http://www.engadget.com/2007/05/01/verisign-set-to-offer-one-time-use-passwords-on-bank-cards/May 1st 2007 6:12PMhttp://www.engadget.com/2007/05/01/verisign-set-to-offer-one-time-use-passwords-on-bank-cards/http://www.engadget.com/2007/05/01/verisign-set-to-offer-one-time-use-passwords-on-bank-cards/
To stop MITM attacks users need to be able to verify the identity of the "other end" (aka bank web site), which SSL works fine for, if it weren't for the greedy CAs that destoyed the current SSL trust model.

Until the SSL trust can be reestablished, what is really needed is out of band transaction authentication/verification (i.e. a SMS message sent to a registered cell phone, digitally signed by the financial institution, which contains the transaction information).]]>May 1st 2007 8:47PMhttp://www.engadget.com/2007/05/01/verisign-set-to-offer-one-time-use-passwords-on-bank-cards/http://www.engadget.com/2007/05/01/verisign-set-to-offer-one-time-use-passwords-on-bank-cards/May 1st 2007 9:29PMhttp://www.engadget.com/2007/05/01/verisign-set-to-offer-one-time-use-passwords-on-bank-cards/http://www.engadget.com/2007/05/01/verisign-set-to-offer-one-time-use-passwords-on-bank-cards/May 1st 2007 10:09PMhttp://www.engadget.com/2007/05/01/verisign-set-to-offer-one-time-use-passwords-on-bank-cards/http://www.engadget.com/2007/05/01/verisign-set-to-offer-one-time-use-passwords-on-bank-cards/Regarding the man in the middle attck, doesn't the OTP force the attacker to work in real time, because as soon as the connection is terminated then a new password is needed to reconnect? And doesn't the average connection terminate after 5 minutes of inactivity? Wouldn't that make the attacker's window of opportunity very tight?

Also regarding SSL trust, can't you check the security certificate on the connection to verify the site of the bank that you're connecting to via a third party? Or is there something that I'm missing.

]]>May 1st 2007 10:28PMhttp://www.engadget.com/2007/05/01/verisign-set-to-offer-one-time-use-passwords-on-bank-cards/http://www.engadget.com/2007/05/01/verisign-set-to-offer-one-time-use-passwords-on-bank-cards/
http://www.stillagirl.com]]>May 2nd 2007 12:10AMhttp://www.engadget.com/2007/05/01/verisign-set-to-offer-one-time-use-passwords-on-bank-cards/http://www.engadget.com/2007/05/01/verisign-set-to-offer-one-time-use-passwords-on-bank-cards/The current MITM attack consists of what is basically a proxy. The user connects to what they think is their bank/FI, but it is really the MITM website which looks just like the user's bank/FI website. The MITM website/proxy then establishes a connection to the real bank/FI and just forwards the user's authentication/OTP on to the real bank/FI website and then sits in the middle of the session, providing the user only the information about that session/transaction that the MITM wants the user to see.

Since this all occurs in real-time (aka the MITM proxy), the OTP can't stop this attack.

One way to stop this is to use out of band verification, like SMS or voice messages confirming a transaction.

Another way to stop this attack is to allow the user to verify the identity of the real bank/FI, which SSL was designed to do many years ago. The problem is that SSL trust has been eroded by the CAs that issue SSL certificates, and since there is currently no consistency in SSL certificate issuance, and DNS webhost naming, it is virtually impossible for the averge user to understand the trust associated with a given SSL certificate issued for a given hostname. The problem is, SSL certs can be gotten today for look-alike hostnames that can be used to commit fraud. This is as much a problem with DNS as it is with SSL certs. It is not clear that even the latest EV SSL certs will solve this problem, especially if the CAs that issue the EV SSL certs don't perform proper diligence in vetting the identity of the bbusiness owner requesting the EV SSL cert for a given hostname.
]]>May 2nd 2007 1:32PMhttp://www.engadget.com/2007/05/01/verisign-set-to-offer-one-time-use-passwords-on-bank-cards/http://www.engadget.com/2007/05/01/verisign-set-to-offer-one-time-use-passwords-on-bank-cards/]]>May 2nd 2007 2:01PM