Re: Time to ask again: Is there anything BETTER than eBay?

Just a footnote on the two-factor authentication (2FA) tokens mentioned
in this discussion:

Rob said that he already has two RSA SecurID tokens that he uses at
work, and is thus restrained in his enthusiasm for any financial
services which offer him yet another token that will be required
whenever he wants to execute a transaction or access his records. This
is a real problem, something token vendors refer to as the "necklace"
scenario. RSA (for which I've been a consultant for many years) is
trying to address it with its RSA Authentication Service (RAS).

The RAS is network-based service which will provide a "blind"
validation of a token-code from a SecurID -- which will have been
issued by one firm -- to a second firm (likely a bank or financial
service firm, at least initially) which has previously registered a
"second hand" claim on that SecurID by serial number and a numeric
pseudonym. With the SecurID serial number, RSA can generate and
validate the token-code displayed on a particular SecurID at any given
moment -- but it has no way to match a token to a particular user now,
or any time in the future, not does it know the PIN or password the
token-holder is using for 2FA.

The idea is that the second firm, with the approval of the original
issuer, will independently validate the user's login name and password,
but it will then refer the SecuID's one-time password (OTP) token-code
to the RSA Authentication Service for a full 2FA validation. All
customer and account information will be retained by the financial
institution or enterprise which is seeking the token-code validation,
which sidesteps a lot of the competitive issues which have previously
stimied efforts to have multiple institutions accept the same OTP token
for 2FA.

RSA is just now launching a beta test of this service, but if only a
fraction of the 15,000 instiutions which now rely upon SecurIDs endorse
it, it could offer many financial and commercial institutions a more
cost-effective 2FA option... and allow consumers to gain the assurance
of strong authentication from the institutions they do business with,
without lugging around a pocket full of tokens.

Rob, if you already feel the burden of a "necklace, you might ask your
local IT admin if he would allow you to use RSA's newest token, the SID
800.

The SID 800 is a hybrid SecurID, which has both a USB plug and a LCD
which continuously displays a series of 60-second passwords. Although
the LCD will only display the output of one SecurID, the memory stick
in the USB token can also carry the seeds for another six independent
SecurIDs, each of which can be accessed by a PC-based RSA software app
and used to generate the appropriate token-codes from a half-dozen
SecurIDs. (This is the same SecurID token-emulation software that is
used in phones, Blackberries, and PDAs. It's not a as resistant to all
direct physical and logical attacks as a sealed hardware token, but
it's appropriate for many security environments.)

I understand, btw, that Lloyds TSB is going to provide Vasco's Digipass
Go 3 tokens to its customers. (eBay is reportedly going to get its
consumer 2FA tokens from VeriSign, as part of the deal negotiated when
eBay purchased VeriSign's payment processing unit for US$370 million.)
Vasco is a good company, and the Go 3 token is a good example of an
"event sych" token which generates a pseudo-random token-code every
time the user pushes a small button on the Go 3 fob.

Despite some comments in this thread, however, Lloyds Go 3 tokens will
not be time-based. RSA still has critical patent protection on the
mechanism which validates the SecurID's 60-second OTP.

Vasco tokens are nominally sold with a 5-year lifespan. Recently,
however, the Vasco CEO told US security analysts that many European
banks have decided that they will have to annually replace Vasco tokens
issued to their staff and customers, for reasons he did not explain.

Good luck saving eBay from its foibles, Gentlemen. I hope this wordy
footnote is helpful, or at least informative.

Cheers,
..
_Vin

PS. Happy "Thanksgiving Day" from the US of A.

------------------ in response to
--------------------------------------

Funfly wrote:
> > If Ebay offered a securid tag as an option this would stop the phishing
> > frauds dead as without the tag you could not log in to yours or anybody's
> > else's account at all as it expires after 60 seconds and I have heard
> > rumours that Lloyds TSB is going to do just that for its customers that
> > use internet banking

Rob Nicholson replied:
> Yes that's true - got a letter from Lloyds TSB and it now says "coming soon"
> when I log on. I'm on the fence with this one as I have to use SecurID at
> work and I've already got two of them there. I like the idea of being able
> to check my balance/transfer money at work, on holiday etc. and having to
> remember to take the key with me hasn't exactly got me jumping up and down.
> I can understand the security aspect.

.