Cryptography Reference
In-Depth Information
out. Even if he knows your habits well and discards one attempt to be on
the safe side, he doesn't know whether you are still bluffing next time. Upon
consultation with the bank, an attempted fraud can be detected with sufficiently
high probability.
This means that the damage can be kept within boundaries in the existing
system. But once again, it showed the shockingly low level of 'cryptology'
in some practical applications, totally in contrast to the impression advertising
tries to give.
The entire issue makes a pretty miserable impression. The user and the bank
blame each other. Both are even right in their own ways.
•
The bank protected itself properly. Only the customer uses insecure
operating systems and insecure software, allowing hackers to steal his
password.
•
The customer can demand that the bank let only cryptologically secure
software access their accounts. Those who work with one-time passwords
count on being wiretapped anyway. In that case, they should make another
small step to include
mutual
authentication. After all, the bank knows
more about security than an inexperienced customer!
It is not the 'anarchic Internet' that is to blame but insecure cryptographic
protocols and insecure software. It's about time both were brought to the state-
of-the-art level.
From the cryptological viewpoint, encryption by means of hybrid methods
would certainly be a better choice. In practice, this is sometimes required for
non-readable chip cards and perhaps additional biometric systems. Until we
get to this point, however, we make do with one-time passwords, perhaps
additionally protected by digital signatures.
...
and Cruel Practice
Those were my thoughts. They are important for systems with one-time pass-
words in any event, but they remained gray theory. Because later I heard the
truth about the attack demonstrated in that TV program.
The customers used Microsoft Internet Explorer, which activates so-called
ActiveX controls
. These controls let you dial up a suitable page on the Web to
load and start an application on your local computer (similar to Java applets,
