Computerworld - Security measures such as one-time passwords and phone-based user authentication, considered among the most robust forms of security, are no longer enough to protect online banking transactions against fraud, a new report from research firm Gartner Inc. warns.
In Germany, those OTPs are typically called TANs (for 'transaction authentication numbers'). Some banks even dispatch such TANs to the user's mobile phone via SMS, in which case they are called mTANs (for 'mobile TANs').
Millions of online banking customers in Europe use a hardware device to authenticate themselves.. Most of these hardware devices use OTP's, which "are no longer enough to protect online banking transactions" So there you have it.
There are a whole lot of devices that need replacing...
- Todos uses OTP's
- RSA uses OTP's
- Vasco uses OTP's
- Barclays PIN Sentry uses OTP's
- the list goes on...
Barclays PIN Sentry is a One Time Password (OTP) Generating Device
Here's an interesting read From "Ranting About Barclays on Two Levels"
"I answered the first question "do you have your PINSentry through the post yet?" with a satisfied 'yes', and was then told to put my card into the slot and enter my pin, and enter the resulting 8-digit code into the website. That's it. No "here's a number, enter it into your device, encrypt it with your pin and enter the signed version back into the website", nothing.
So effectively, the PINSentry is just one of those time-based OTP token devices, only with a little bit of extra security in the way of a card slot and a PIN.
And the device itself authenticates PIN numbers too... my initial glee at having a device that can be used to quickly brute-force peoples' PINs was only marginally dented by the discovery that it has the ability to lock cards if you enter the PIN three times, because I now have a superb device for locking the cards of people I don't like."