On 2014-04-11 14:23, Per Jessen wrote:
jdd wrote:
I first heard of the challenge-response idea back in the 90s - it was already in use with several German on-line banking systems (maybe it was standard in the HBCI specification). I think my bank has been using their current setup it for 10 years or more. I'm on my third card-reader.
I've never seen it here (Spain), at least for "consumers". I have used it inside companies, to access the network by employees. The one I'm thinking of they also had antitempest windows, and WiFi was strictly forbidden (it is dismantled on the warehouse, to the dismay of the operators using the handled gadgetry they typically use on the store room or warehouses. I've seen one important bank using a table of codes for a challenge-response system, which is used only for "operations". However, the table is card that might be used for many years, not a one use thing. For accessing your bank data it uses a simple login/pin code (and not a long pin). Another important bank uses a login/pass to access, then a challenge-response method for operations, but instead of a long table of codes, it is just a an 8 char code of which they ask you, say, to type digits 5 and 7. Again, not a one use thing. I think they also use a verification code sent over SMS to your mobile phone, but I don't recall which one does. It may be a volunteer choice. A thing I have also noticed is that they ask you to enter pin codes not on the keyboard, but by clicking with the mouse on a keyboard on the screen. This might be to foul dongles inserted on the keyboard cable. Last time I noticed that the position of the virtual keys was random on one site. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)