tag:blogger.com,1999:blog-17540721.post116578617658020395..comments2008-03-16T19:57:46.424+01:00Szymon Slupikhttps://profiles.google.com/115855762914475187374noreply@blogger.comBlogger4125tag:blogger.com,1999:blog-17540721.post-46236749308214086752008-03-16T19:57:00.000+01:002008-03-16T19:57:00.000+01:00"on screen pin keyboards would have to be randomized"<BR/>-> they already are; many online banks are doing that<BR/><BR/>"users are lazy they simply revert to pressing keys"<BR/>-> you can easily prevent them from doing that, it is just a matter of the page designHeadworxhttp://www.blogger.com/profile/11659982647690284677noreply@blogger.comtag:blogger.com,1999:blog-17540721.post-65175286755064428552008-03-16T19:09:00.000+01:002008-03-16T19:09:00.000+01:00"u cannot solve problem on level that created it" (einstein:)<BR/><BR/>hook the keyboard. hook the mouse. on screen pin keyboards would have to be randomized and then your into "behavioral science" ... users are lazy they simply revert to pressing keys<BR/><BR/>there are 3 critical components 2authenticity here:<BR/>(1) destination<BR/>(2) source<BR/>(3) "presence"<BR/><BR/>(2 + 3) = validating the "user rather than the browser" and ensuring that a person is present (rather than a bot)<BR/><BR/>right now all attempts have focused on "left brain" and computational activity. the solution engages right (non linear emotional).<BR/><BR/>ussd model proposed is closer however fails on (1) since pushed. any input has 2b "above band" (cellular) and "pushed" since only mobile origination cannot b faked.<BR/><BR/>akstarscriberhttp://www.blogger.com/profile/17063191739795105773noreply@blogger.comtag:blogger.com,1999:blog-17540721.post-61859484332242742042008-03-16T17:24:00.000+01:002008-03-16T17:24:00.000+01:00You're right. But a simple trick with an on-screen keyboard (a keyboard displayed as a series of links on a web page) should do. Still OTP seems to be the only sensible way to use your online services on machines you do not trust...Headworxhttp://www.blogger.com/profile/11659982647690284677noreply@blogger.comtag:blogger.com,1999:blog-17540721.post-70981540394730334512008-03-15T04:53:00.000+01:002008-03-15T04:53:00.000+01:00hi:<BR/><BR/>OTP via sms entered back thru PC keyboard simply "cat chasing tail". problem with PC is keyboard as u know is zero encryption on keypress. with key logger active entering the sms PIN on the PC simply captured in clear then changed on the fly and invalidating the real session while real PIN has already been submitted on parallel and now hijacked session.<BR/><BR/><BR/>akstarscriberhttp://www.blogger.com/profile/17063191739795105773noreply@blogger.com