Banks Test ID Device for Online Security

Bill Stewart bill.stewart at
Tue Jan 4 19:18:54 PST 2005

>R.A. Hettinga wrote:
> > Okay. So AOL and Banks are *selling* RSA keys???
> > Could someone explain this to me?

At 12:24 PM 1/4/2005, Trei, Peter wrote:
>The slashdot article title is really, really misleading.
>In both cases, this is SecurID.

Yup.  It's the little keychain frob that gives you a string of numbers,
updated every 30 seconds or so, which stays roughly in sync with a server,
so you can use them as one-time passwords
instead of storing a password that's good for a long term.

So if the phisher cons you into handing over your information,
they've got to rip you off in nearly-real-time with a MITM game
instead of getting a password they can reuse, sell, etc.

That's still a serious risk for a bank,
since the scammer can use it to log in to the web site
and then do a bunch of transactions quickly;
it's less vulnerable if the bank insists on a new SecurID hit for
every dangerous transaction, but that's too annoying for most customers.

Bill Stewart  bill.stewart at 

More information about the cypherpunks-legacy mailing list