Corporate public key?

Johan Wevers johanw@vulcan.xs4all.nl
Tue Jul 8 23:12:04 2003


You, CL Gilbert, wrote:

>The mail is usually there when I get home.  Their is noone guarding it.
>~ I am not concerned about mass attacks, only a single one.  Once you get
>the pin, you have no need of bruteforce.  The bruteforce occurs when you
>are checking my snail mailbox everyday for a month.

I don't know how internet banking is done where you live. I have seen
banking systems for 3 banks here.

For one (Postbank, a division of ING) you get 3 lists of codes, sent in 3
separate letters on 3 separate days. You'll have to change 1 of them the
first time you use it, the other is fixed and the 3rd is a list of use-once
confirmation codes when you do payments via their program.

At ABN-AMRO you get a card reader that can is a general type. You put your
bank card in it, and it requires the pin of the chip on the card to work.
You then get a 8-number challenge when you want to login on the bank card,
type this on the card reader and it gives a 6-number response. Together they
generate a session key for an encrypted connection. This session key is
stored in a cookie.

For the CVB bank, you get an electronic number generator with a serial
number. You have to type the serial number of the generator when you want to
login. It then gives a challenge number. You switch on the generator, it
asks for a 5-digit pin code (sent to you in a seperate snail letter, and
you'll have to change it the first time you use the generator). Then it asks
for the challenge and responses with a response that you have to type on the
website, and the server generates a sesson key.

Both the ABN and CVB number generators will always produce the same response
when fed a fixed challenge.

-- 
ir. J.C.A. Wevers         //  Physics and science fiction site:
johanw@vulcan.xs4all.nl   //  http://www.xs4all.nl/~johanw/index.html
PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html