Security Tokens

Story: Attackers raid SWISS BANKS with DNS and malware bombsTotal Replies: 9
Author Content
Ridcully

Jul 24, 2014
2:49 AM EDT
From what I have seen so far, my bank account cannot be manipulated by anyone else except me because any action on the account MUST be approved by a 6-digit number generated by a security token in my personal possession .....It is extremely unlikely but even if the scammers actually got my access ID and log-in code, they still do not have the security token number which is only available from the token in my possession and which changes each time I log in and generate a token number.

Does anyone else have any comments on this ? From what I am able to understand, the token number generation effectively locks the account unless you are in possession of the token and can generate the required number. If this is the case, one begins to wonder why the Swiss Banks.....so often lauded for security.....are not using the token method. But perhaps I am wrong in my understanding ?

PS....it's worth exploring just how the token generates the number and how it can be recognised by the bank .....very intriguing.
jdixon

Jul 24, 2014
6:53 AM EDT
> Does anyone else have any comments on this ?

I have one of those for work. The one I have is by RSA.

I have no idea what algorithm they use to generate the numbers, but there is a server component to the system against which you authenticate. It knows the number that your token should be showing by referencing the token's serial number. So obviously if someone can get the serial number of your token, it's at least theoretically possible that they could access you account, even without the token itself.

The internal clock of the token can get out of sync with the server end, at which point you have to resync the token to the server by telling it when the number changes and what the new number is.
Ridcully

Jul 24, 2014
8:17 AM EDT
Hi Jdixon.......I got the idea from some reading, that each token has a slightly different algorithm. The base line is that the token also contains a clock, against which the algorithm generates the number. From what I read, the serial number of the token is also crucial when you are setting up the bank server to accept what the token will output in the future........But my point was that if you are using the token output as the final stage of conducting any bank procedure, then the thief MUST get hold of that token physically if he is to break the system. I don't think the serial number on its own would do any good unless you are able to duplicate both the algorithm and the clock in order to get an output.

Oh sure.....if there is a lock, there is a key......but in this case, if the token is kept securely by the legitimate user, I think it produces an unbreakable situation for a scammer. What do you think ?
jdixon

Jul 24, 2014
8:38 AM EDT
> I don't think the serial number on its own would do any good unless you are able to duplicate both the algorithm and the clock in order to get an output.

I doubt the actual clock input is all that significant since it has to be able to be duplicated on the server. I suspect it merely gives you a zero point for generating the numbers. But yes, you have to know the algorithm in order to generate the next key, you need the token's serial number, and you probably need to know at least one key from the token and what time it was displayed. So probably not impossible to break, but extremely difficult. And yes, I agree that all banks should use them. Of course, they cost money, so...
Ridcully

Jul 24, 2014
8:45 AM EDT
You're pretty much travelling the same paths I am taking Jdixon........Cost though, is a pittance. Out here, the token cost $20 and from then on, no charge. Apart from the "nuisance" of having to generate and enter another number, they are truly a piece of cake to use. And if you have the sort of cash that would attract a thief, then a twenty dollar token is worth every cent I think.

I'd never thought much about them before, and it's a whole new area. Intriguing.
Bob_Robertson

Jul 24, 2014
9:10 AM EDT
I used one of those at NASA. There was also a few digits added, as a PIN.

Interesting was that the interpreting system was designed so that you could enter a different PIN, and it would allow access but set off an alarm, so if someone demanded your PIN you could give them one that would both "work" and tell people you'd been "hacked".
jdixon

Jul 24, 2014
9:21 AM EDT
> Cost though, is a pittance.

Agreed. I think ours is about $35. But you know banks. And ours have a 3 year expiration. Of course, there's also the cost of running the server and the (assumed) licensing costs. I know nothing about those.

> ...the interpreting system was designed so that you could enter a different PIN, and it would allow access but set off an alarm...

Hmm. I wonder is ours have that feature or not. It's never been brought up if they do. I'd think banks would be VERY interested in it.

TxtEdMacs

Jul 24, 2014
10:46 AM EDT
[serious]

My experience with a financial institution using secondary verification required a fairly rapid sign on. That is, if delayed more than the 60 - 90 seconds (my guesstimate) the digital code reset. Moreover, if the connection was interrupted for any cause an entirely new sign on was required.

[/serious]

YBT
Ridcully

Jul 24, 2014
6:15 PM EDT
Oh yes, Jdixon, I do know banks indeed......I think they work on the principle that if there is a way to extract more milk with as little "moo" as possible, then they will use it. Still, it IS odd to see $35 and a time limit considering my token cost $20 and has no limit. I think your charges just might be a bit much, as they say. I have to admit though, that the bank I am using here has a superb name for working and assisting in the communities where it has a branch and they also look after the older customers very, very well.

Txt, the token I am using generates a 6-digit number which stays on the mini-screen for about 10 seconds, which is more than enough time to enter it on the computer and verify it. Given that the generated number is derived both from an algorithm, the exterior token digit and particularly its internal clock, the generated number absolutely must change each time you use it - if I understand its operation successfully - which I doubt.

Bob, that NASA one sounds intriguing.....more stuff built into the token for a high security area. I've never encountered anything like that before.
jdixon

Jul 24, 2014
10:19 PM EDT
> Still, it IS odd to see $35 and a time limit considering my token cost $20 and has no limit.

RSA is the brand name in the field, Ridcully. And they are intended for corporate use, with all that implies.

> the token I am using generates a 6-digit number which stays on the mini-screen for about 10 seconds

I believe mine stays for 30 seconds.

> Bob, that NASA one sounds intriguing

The second PIN could be handled entirely on the server end and have nothing whatsoever to do with the token.

Posting in this forum is limited to members of the group: [ForumMods, SITEADMINS, MEMBERS.]

Becoming a member of LXer is easy and free. Join Us!