Blizzard offer World of Warcraft players two choices for an additional layer of security. There is the Blizzard Authenticator and the Blizzard Mobile Authenticator. I have the former.
So here’s a question for you. How come we don’t have this built into our credit/debit cards somehow?
Verified by Visa seems to have gotten dropped… Because it asks you to type in a static password, so thieves just copied the pages and snagged the passwords :).
I’d sure as hell spend an extra $10 to have a dynamic PIN built into my CC.
kfsone's pittance 
9 Comments
VbV does not dictate the method the bank uses to authenticate the transaction. My bank uses one-time passwords, for example. It’s a pain in the ass, though, since now I have to carry the OTP sheet with me in case I need to use some VbV site away from home.
Some questions about the WoW authenticator dongle – does the code change each time you press the button? I.e. is it generated serially, or is there a time-dependency or something else? If it’s serial, what happens if the generator on your dongle gets out-of-sync with the one on the server for whatever reason? If it’s time-based, how is the device supposed to keep accurate time?
The Chip&Pin solution was pretty discredited in this paper I read, don’t recall the source now but the conclusion was that it was severely flawed in many ways. The one that stood out in my mind is that since the chip will tell you if the pin entered was correct, there is potential for kidnapping people and then torturing them until they give up the *correct* pin, something that apparently already has happened. It was an interesting paper, too bad I can’t remember where it was from.
@Tuure Typically they it’s time based and is basically a time seeded pseudo random number generator, the server keeps a window of a number of possible options that are around the “correct” one that can be used, and then uses that offset to reset the window after a number of attempts.
But typically there’s always the possibility of the time getting so far out of sync (but it’s likely that it uses your handsets clock)
RSA tokens used to work on a very similar fashion
— asn
@lutorm would that perhaps be http://www.lightbluetouchpaper.org/ ?
I’m pretty sure Oli will recognise one of the frequent posters there too :P
— asn
ROFL :) Turnpike :)
I was more thinking that you wouldn’t use the pin for online transactions, you’d use the generated number.
It’s basically a crypto card. Every few seconds it generates a new number, based on an initial seed. So each key has a very short lifetime – 5s or so.
Barclays use something similar.
http://www.bank.barclays.co.uk/Helpsupport/IntroducingPINsentryforOnlineBanking/P1242559314766
Barclays use a similar system.
Nationwide in the UK also use those pin gadgets that Laccy links too.
That was weird. It took two days for me to see my first post.