Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Smart card proposal

from [Lyal Collins] Network Security [Permanent Link]
Subject: RE: Smart card proposal
Date: Mon, 24 Jan 2005 18:47:21 +1100 
The bank is performing the same effective authentication as 
they do at 
their ATM's. Something you have (the card) and something you 
know (the 


This is only true if the combined PC + smartcard reader + chip/smartcard are
the security equivalent of an ATM.

No such smartcard platform exists today, as far as I know - PCs are way to
insecure to even dream of this level security.


Users already have an idea of how to protect their credit cards. They 


Most users have no idea of how to set up a smartcard reader, let alone
minimally secure their PC.  Why is a smartcard going to help given this
limitation?



ATM's mostly already have infrastructure to read and communicate with 
smart cards. Users can use ATM's as self-service terminals to set up 
their internet banking. e.g. the user enters their PIN at the ATM, 
selects Internet Banking, Register. The ATM instructs the 
smart card to 
generate a private key, takes a copy of the public key, 
generates a CSR, 
requests the Bank's CA to sign the cert, and installs the 
cert into the 
smart card. It then asks the user to choose a PIN for the 
certificate, 

So now the user has a second PIN to potentially forget or tell to 200 of
their best friends.


so that it cannot be accessed without it. At the same time, 
it links the 
certificate to the same accounts that the user can access via 
the ATM, 
so that Internet banking is effectively seamless.


Many installed ATMs don't have the software functionality to do this today



If the user forgets the certificate PIN, and tries to guess 
it more than 
${policy} times, the smart card locks it out. Then, the user 
can go to 
an ATM, enter his ATM PIN, request a certificate PIN reset, 
the ATM then 
supplies a (card specific) PIN Unlock Key, which allows the user to 
enter a new PIN for the cert.

The certificate lifetime would be the same as the validity 
period of the 
credit card. When the bank issues a new credit card, the user 
should go 
back to an ATM, and reregister for Internet banking. 


Bzzt - If I've already done this once, I do NOT want to have to repeat this
every 2/3 years.  I don't with my debit card (which is real money, and no
chargeback, nor fraud)

Just some initial thoughts

Lyal
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Authorization Framework., "D. HÃhn"
Next by Date:  RE: (secure email) Proposal to anti-phishing, Lyal Collins
Previous by Thread:  Smart card proposal, Rogan Dawes
Next by Thread:  RE: Smart card proposal, Richard M. Smith
Indexes:  [Date] [Thread] [Top] [All Lists]