R.A. Hettinga wrote:

...

Okay. So AOL and Banks are *selling* RSA keys??? Could someone explain this to me?

At 12:24 PM 1/4/2005, Trei, Peter wrote:

The slashdot article title is really, really misleading. In both cases, this is SecurID.

Yup. It's the little keychain frob that gives you a string of numbers, updated every 30 seconds or so, which stays roughly in sync with a server, so you can use them as one-time passwords instead of storing a password that's good for a long term. So if the phisher cons you into handing over your information, they've got to rip you off in nearly-real-time with a MITM game instead of getting a password they can reuse, sell, etc. That's still a serious risk for a bank, since the scammer can use it to log in to the web site and then do a bunch of transactions quickly; it's less vulnerable if the bank insists on a new SecurID hit for every dangerous transaction, but that's too annoying for most customers. ---- Bill Stewart bill.stewart@pobox.com