[EMAIL PROTECTED] wrote:
> What I meant was a CRYPTO CARD.
>
> It is just like a little tiny pocket calculator. The web sites gives
> you a number, you enter it on the card, and you get a number back.
>
> It is unbreakable security,
Unbreakable security is quite a claim. Unfortunately it is not true.
To break this, a trojan only needs to install to do two things to your
browser: install a new root certificate (to defeat ssl) and set or change
the proxy server. You can then mount a succesful MITM attack, whereby the
attacker can change all transactions you do (like for example, change the
destination account number). Because it still relays the challenges to the
crypto card and the responses from it, the website will accept the changed
transaction.
This would change with a smartcard that actually did a public key signature
on some transaction: you'll then need a more sophisticated trojan on the
client that can intercept and change keyboard typing and screen output: as
long as the smartcard does not have a visual display, there is no way to
know if the same transaction you entered was actually sent to the smartcard
for signing or that it was changed in the process.
Edwin
---
You are currently subscribed to e-gold-list as: archive@jab.org
To unsubscribe send a blank email to [EMAIL PROTECTED]