This is a classic misunderstanding: if the app/software stack is compromised, the hardware token usually helps little, because the attacker might often trick the user into signing malformed transactions (e.g. modified bank account). #HSM #2FAhttps://twitter.com/io_r_us/status/934692918866120705 …
-
-
Replying to @rootkovska
some german banks offer "chipTAN", where a hardware token reads the transaction details from a code on the screen, displays the details (IBAN and amount) to the user on a built-in screen, and generates a code based on those details: https://www.postbank.de/privatkunden/tipp_chiptan.html …
1 reply 0 retweets 2 likes
Replying to @tehjh @rootkovska
I only recall one article about a successful attack on that - iirc the attacker modified the online banking UI client-side to show a fake incoming transaction and prompt the user to "send the money back". faked transaction list and balance.
7:54 AM - 26 Nov 2017
0 replies
0 retweets
1 like
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.