mobile phone + password = 2 factor auth?

Till Maas opensource at till.name
Tue May 26 21:05:40 UTC 2009


On Di Mai 26 2009, Jeroen van Meeuwen wrote:

> Although this is entirely true, my bank sure considers my phone safe
> enough to send me one-time transaction confirmation codes that are only
> valid with the existing session.

I do not know how it is in your country, but afaik in Germany banks normally 
do not take the risk for online banking, but the customer. So the customer has 
to proove that a transaction was fraud. In comparsion, for offline banking, 
the bank has to proove that a transaction in question is valid. So for them it 
is enough that a judge believes that the phone is safe enough to make it hard 
for the customer to proove, that he was attacked.

Also in Germany there was an implementation live that allowed an attacker to 
use normal transaction verification codes to enroll a phone that allowed to 
create an arbitrary amount of new verification codes. 

Regards
Till
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part.
Url : http://lists.fedoraproject.org/pipermail/infrastructure/attachments/20090526/56092bc1/attachment.bin 


More information about the infrastructure mailing list