On 07.05.14 20:34, Brent Wallis wrote:
On Wed, May 7, 2014 at 7:38 PM, Erik Christiansen
That bank cared enough about security to _insist_ on sending a security dongle when a substantial netbank account was opened - they did not wish to accept liability for loss of that amount of funds without the extra security provision.
..
The dongle was / could have been "keyed" off the private cert of the domain...perhaps?
Such dongles merely generate one-time passwords, changing every few seconds. They are driven by a pseudo-random sequence generator, I figure. It is trivial to build one into a CMOS chip which runs for years on the tiny sealed-in battery, yet does not repeat in 100 human lifetimes. The one weakness, in the event of the account ID and password both being acquired, is that a lucky crim might randomly guess the token value for that instant, since that's only 1 in a million. Erik -- Pessimist: The glass is half empty. Optimist: The glass is half full. Engineer: The glass is twice as big as it needs to be. - Read on avr-chat ML Pragmatist: Who cares, so long as there's more in the bottle.