10 Oct
2014
10 Oct
'14
9:06 a.m.
On 10/10/14 10:55, Gilles Massen wrote:
On 10/10/2014 09:51 AM, Alain Knaff wrote:
*We* (the users) do care, but unfortunately *the banks* do not care...
Or how else is it possible that one major Luxembourgish bank took one
year and a half to fix a simple typo in a config file, which prevented
the card & stick from working?
For all practical purposes, consider that the smartcard and USB stick
are no longer supported, except for niche applications (such as some
internal stuff at the Lux. government).
For webbanking and general simplification of life, yes. (not as if there
were any alternatives...)
But keep in mind that the tokens rely obviously on a weaker security
model (although you may not care) and are far less flexible. You can use
the stick / cards for your own x509 authentication, sign emails... while
the Token is only useful in situations a provider/LuxTrust agreed to. If
However, this "flexibility" may come back and bite you.
Indeed, the way how banks use the Card and/or Stick carries one major
security risk due to their wrapper written in JNI: this wrapper
completely bypasses Java's security framework, and allows banks to sign
any document in the user's name without the user's knowledge. In a
situation where the bank's and the user's interests are not perfectly
aligned (such as when the user is suing the bank over bad investment
counseling), this is a *major* problem, because the bank could forge any
document "signed" by the user in order to damage his case, and bolster
their own case.
So, if you are in *any* kind of disagreement with your bank, better use
the token, rather than the stick.
only there were a proper Linux support for the
sticks...
So the token is much like an iPhone :)
Well, at least it doesn't bend... :-)
best,
Gilles
Regards,
Alain