* Eugen Leitl: > The German PIN/TAN system is reasonably secure, being an effective > one-time pad distributed through out of band channel (mailed dead > tree in a tamperproof envelope).
Some banks have optimized away the special envelope. 8-( > It is of course not immune to phishing (PIN/TAN harvesting), which > has become quite rampant recently. And we face quite advanced attack technology, mainly compromised end systems. We are well beyond the point where simple tokens (like RSA SecureID) would help. > I do have a HBCI smartcard setup with my private account but don't use it > since it's locked in a proprietary software jail. The way the current attacks are carried out, smartcard-based HBCI is less secure than the PIN/TAN model because with HBCI, you don't need to authorize each transaction separately. At this stage, few people recognize this problem, and German banks put high hopes on smartcard-based online banking, despite its high costs in terms of consumer devices and support calls. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]