mobile phone + password = 2 factor auth?
Till Maas
opensource at till.name
Tue May 26 21:05:40 UTC 2009
On Di Mai 26 2009, Jeroen van Meeuwen wrote:
> Although this is entirely true, my bank sure considers my phone safe
> enough to send me one-time transaction confirmation codes that are only
> valid with the existing session.
I do not know how it is in your country, but afaik in Germany banks normally
do not take the risk for online banking, but the customer. So the customer has
to proove that a transaction was fraud. In comparsion, for offline banking,
the bank has to proove that a transaction in question is valid. So for them it
is enough that a judge believes that the phone is safe enough to make it hard
for the customer to proove, that he was attacked.
Also in Germany there was an implementation live that allowed an attacker to
use normal transaction verification codes to enroll a phone that allowed to
create an arbitrary amount of new verification codes.
Regards
Till
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part.
URL: <http://listman.redhat.com/archives/fedora-infrastructure-list/attachments/20090526/56092bc1/attachment.sig>
More information about the Fedora-infrastructure-list
mailing list