[Dshield] ID theft ring hits 50 banks, firm says

Johannes B. Ullrich jullrich at euclidian.com
Tue Aug 9 14:58:38 GMT 2005

> they use a machine-based (I get a credit-card sized
> but thicker "calculator", at no cost to me) one-time challenge/response
> protocol over https for admission to Internet users' accounts and a
> separate challenge/response, once "inside" that account, for any
> transaction attempted.

True. ING does not use one time passwords in the US. Only in Europe.
I yet have to figure out why. But in Europe, one time passwords are the

Back in the 80s, as I started using online banking in Germany, my bank
provided a sheet with one time 'transaction numbers'. One was used for
each transaction (= wire transfer).

Banking in the US works different from banking in Europe.

In the US, most payments are still conducted by check. In many cases, if
I enter an 'electronic payment' with my bank, the bank will print a
check and mail it to the recipient at no cost to me. If on the other
hand I 'wire' the money electronically, it will cost me $15. In Europe,
most payments even between private persons, are done via 'wire
transfers' at minimum or no cost.

Now the 'one time password' scheme has found its phishing match. I have
seen a few phishing scams targeting postbank (german bank that uses
sheets with one time passwords) where they ask for two of these
passwords in addition to your username/login password.

Of course, the calculator style timed or challenge/repsone schemes
should be phishing proof.

One scheme I have seen in china: The bank will send a message to your
cell phone with a one time password each time you log in. So this is
"out of band two factor": you need to know the username/password to
trigger the one time password, and you need to have the right cell phone
to receive the one time password.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 256 bytes
Desc: OpenPGP digital signature
Url : http://www.dshield.org/pipermail/list/attachments/20050809/6100cdb4/signature.bin

More information about the list mailing list