Barclays online banking: pinSentry
Discussion
andy_quantum said:
Basic 2 factor authentication; something you have and something you know. Many people including myself have been using it for years to access corporate networks (Windows logon etc) using either small keyfobs or SMS. Companies like RSA, Vasco, Cryptocard etc have been doing this for years. Personally I think it's great that it's filtering down, not just in specifically hi-tech companies or large corporates, as it's added security.
To the person who keeps their machine secure, please bear in mind it's only as good as the wekest link and other such IT related cliches, you dont have total control over your machine and everything to make it more secure should be seen as a good thing.
We are intro-ing RSA fobs here for VPN / OWA. But I check my accounts from work / home / trusted friends / parents house. I dont want to have to lug this round aswell.To the person who keeps their machine secure, please bear in mind it's only as good as the wekest link and other such IT related cliches, you dont have total control over your machine and everything to make it more secure should be seen as a good thing.
Please post the pinsentry article (or PM it)
Safe? There is nothing that is safe. If you want secure encryption then you use one-time pads. But then communicating them is not secure.
Yes a man-in-middle can defeat it, but only at the time. My understanding (and I'm guess from how it appears to work) is that they could not log on again a bit later- that is a major improvement.
Man-in-the-middle also defeats a secure password and indeed most other solutions available to the banks, of not all.
Personally I'd rather have this system than not, nothing above has dissuaded me so far
Yes a man-in-middle can defeat it, but only at the time. My understanding (and I'm guess from how it appears to work) is that they could not log on again a bit later- that is a major improvement.
Man-in-the-middle also defeats a secure password and indeed most other solutions available to the banks, of not all.
Personally I'd rather have this system than not, nothing above has dissuaded me so far
PinSentry said:
andy_quantum said:
Basic 2 factor authentication; something you have and something you know. Many people including myself have been using it for years to access corporate networks (Windows logon etc) using either small keyfobs or SMS. Companies like RSA, Vasco, Cryptocard etc have been doing this for years. Personally I think it's great that it's filtering down, not just in specifically hi-tech companies or large corporates, as it's added security.
To the person who keeps their machine secure, please bear in mind it's only as good as the wekest link and other such IT related cliches, you dont have total control over your machine and everything to make it more secure should be seen as a good thing.
pinSentry was also hacked a month or two ago. The head of a security company which was purchased by IBM in early 2007 made a right cock up by announcing it at a security press conference.To the person who keeps their machine secure, please bear in mind it's only as good as the wekest link and other such IT related cliches, you dont have total control over your machine and everything to make it more secure should be seen as a good thing.
You can introduce a man in the middle attack against the device and inject web pages to take over an account and divert funds.
It appears that IBM legal have been rather speedy on this one as the story has vanished from the original source, Barclays needless to say are not happy bunnies.
I do have transcript of the original article if it would interest anyone.
reddog03 said:
PinSentry said:
andy_quantum said:
Basic 2 factor authentication; something you have and something you know. Many people including myself have been using it for years to access corporate networks (Windows logon etc) using either small keyfobs or SMS. Companies like RSA, Vasco, Cryptocard etc have been doing this for years. Personally I think it's great that it's filtering down, not just in specifically hi-tech companies or large corporates, as it's added security.
To the person who keeps their machine secure, please bear in mind it's only as good as the wekest link and other such IT related cliches, you dont have total control over your machine and everything to make it more secure should be seen as a good thing.
pinSentry was also hacked a month or two ago. The head of a security company which was purchased by IBM in early 2007 made a right cock up by announcing it at a security press conference.To the person who keeps their machine secure, please bear in mind it's only as good as the wekest link and other such IT related cliches, you dont have total control over your machine and everything to make it more secure should be seen as a good thing.
You can introduce a man in the middle attack against the device and inject web pages to take over an account and divert funds.
It appears that IBM legal have been rather speedy on this one as the story has vanished from the original source, Barclays needless to say are not happy bunnies.
I do have transcript of the original article if it would interest anyone.
Gassing Station | The Pie & Piston Archive | Top of Page | What's New | My Stuff