Thanks so much for the reply, I am relatively clueless abou the nuts and bolts. So from what you are saying they are using a sync crypto scheme where the password can be intercepted? I read in a bot master Q&A they use AES however why couldnt they just switch to async RSA or some kind of PKI based system?

I see they made some tools to analyze the traffic but no information about actually cracking any encryption. Seems to me this was mostly about hijacking and sinkholing contact peer domain lists. Perhaps they left out pertinant bits for their own safety but from reading this the controllers could bypass the sinkhole if their backup list was implemented correctly.

Ive been to several conferences where companies are rolling out this phone as a payment platforms.. Its a scam designed to get gulible journalists interested and either boost company exposure, dupe investors into buying shares or prove that X manager is being "innovative". Some are literally RFID credit card sim cards sticky taped onto the back of a mobile I kid you not. The reality is that everyone has a physical wallet/purse and that isnt going away any time soon. Also there are many things in that wallet which cannot be replaced by a mobile phone. Also are these the same journalists who write the "New Android Malware" articles which come out every week?

If they were really serious they would have fled to Singapore http://en.wikipedia.org/wiki/Income_tax_in_Singapore 0%-max 20% GST 7% corp taxes almost non existent. I laugh when I see the online "raise US taxes" brigade. And a commited well educated workforce. Whats more Singapore is booming like most of East Asia so the real market is just next door. The only thing is they dont have an open immigration door policy like America so getting in the front door could be hard but life is good and if you are in there is zero chance you will become a victim of crime.

Im not sure you have looked into https://www.shieldpass.com/ which is using the passwindow mutual authentication method not just OTP's used by the SecureID, I agree the RSA one time passwords are "over" being completely vulnerable to various MITM attacks including phishing etc as the codes contain no information to the user about what exactly it is being authenticated. This is the same problem with many tokens etc where a attacker can inject themselves at various point on the network, mobile or terminal itself with a trojan. *It should be noted however in RSA's defense that in this particular case you refer to it wasnt any of these usual methods they used to defeat the tokens but the fact they didnt airgap the machine holding the secret keys.

If you watch the demo video you can see that the transaction specific information ie could be something bitcoin specific is encoded into the challenge alongside the OTP so the user is informed as to what they are authenticating and the MITM fails. They cant switch challenges and they cant remove the transaction information from the challenge. Being a non humanly communicable key (the visual segmented pattern) they cant easily interrogate the user for key information either.

Its not perfect, for that we would need the server to be able to scan your soul however its cheap, convenient and more secure than the alternatives unless you have a better suggestion.

Time for 2FA authentication to be rolled out over bitcoin operators. The anonymity element makes it a huge juicy target for hackers, they need to start connecting it to something physically offline. I am working on a bitcoin wallet for shieldpass.com access tokens and then mutually authenticating each transaction.

What about putting a second offline non electronic factor like a www.shieldpass.com card over the top of the container?

The topic is online banking authentication so your points are mostly off topic. -It could easily be configured for use with email, ssh, imap, ldap, radius, etc -The amount of digits required from the user is configurable to any amount, it is a rolling password so while the demo requires 4 it could be 20 same goes for the amount of transaction information encoded into challenges. Even though its off topic il bite -I dont buy the argument that your phone screen is more personal than any other screen. If ninjas are in your house / office taking secret snapshots then the same kind of photographic attack or other cloning / switching of devices etc could be done against almost any device / terminal display / set of keys and you have bigger problems, that proximity attack argument could go on forever ending in a rubber hose. For what its worth the visual key patterns can be obfuscated with transflective laminates etc very cheaply or for a few bucks extra could be electrochromatic like any device but the cost justification just isnt there when a piece of plastic only costs a few cents and it is designed for online authentication. Personal attacks are beyond the scope and frankly with the developments in remote electronic scanning I feel more secure about these non electronic cards than my RFID cards. For online authentication it solves the MITM attack problem and does it extremely cheaply.

Banks resist the idea because all the major trojans wreaking havoc have MITM /MITB capabilities to bypass the tokens and mobile sms in one way or another as well as cost issues. The 2 European banks in the following article were using transaction signing tokens http://slashdot.org/story/10/07/25/1954216/Online-Banking-Trojan-Stole-Money-From-Belgians and mobile sms trojans have been around for awhile now http://securityblog.s21sec.com/2010/09/zeus-mitmo-man-in-mobile-i.html You might want to investigate https://www.shieldpass.com/ online authentication cards which are cheap and can do mutual authentication passively. For example specific transaction information can be included in the challenges to stop MITM and the process is passive or visual so the trojans or phishers cant walk a target through a transaction as they did with the first link.

Many of the 2FA ideas put forward on here are broken Most major trojans have MITM or MITB capabilities to bypass many of the pure OTP type methods put forward here, including the manual transaction signing tokens. http://slashdot.org/story/10/07/25/1954216/Online-Banking-Trojan-Stole-Money-From-Belgians Mobile authentication should be considered broken since there are many more ways past it and many newer trojans come with mobile plugins now too. http://securityblog.s21sec.com/2010/09/zeus-mitmo-man-in-mobile-i.html I use https://www.shieldpass.com/ authentication cards which have the ability to do mutual authentication passively and not be vulnerable to MITM. The plastic cards themselves cost less than a few cents to make so theres no argument why America shouldnt be using them.

While I agree two factor is the way to go especially for the poster whos primary goal which seems to have been missed is securing a website I couldnt see anything great/innovative on the Arcot website. Primarily everything they have put forward seems to be vulnerable to localized infection (ie a trojan on the local device performing MITM) and I am particularly concerned with their pushing mobile based authentication which I can tell you most Asian countries are bailing out of there are so many different attack methods. The key to the authentication problem is mutual authentication otherwise you are only protecting against keylogging which is a very 80's attack unfortunately there are very few 2FAs which can do it securely.

I realise people like to talk about crypto but user authentication is much more pressing security problem and the weak link in all the recent attacks. Im not reading about X breaking X crypto instead I hear static passwords being gotten one way or another and all the crypto being bypassed. A friendly suggestion for your secure site would be to use 2FA dynamic passwords in as many places as you can preferably with mutual authentication capabilities to prevent MITM, further suggestions would be using Yubikeys or ShieldPass cards and I believe Verisign has a service but the former are much easier to implement and relatively cheap.

You should consider adding 2FA authentication token such as a Yubikey which has lots of great extensions or for more security a ShieldPass access card which has the mutual authentication capability.

You are correct about the security uselessness of the OTP devices however I would suggest you checkout my passwindow 2FA method which isnt vulnerable to phishing / MITM / MITB etc because it can do passive mutual authentication and include transaction information in the window. There are details on the security page. Its also just a cheap piece of plastic which fits in your wallet and is easy to distribute by letter.

Yes this does happen, they dont even need to install a trojan on your computer they do it with phishing pages which have a jabber instant messenger client which instantly relays the OTP (one time password) to a server which does an immediate backconnect to the bank etc and logs in. The other way they are bypassing these devices is through a trojan on the computer and they hijack the browser, MITB man in the browser. The OTP security token method is pretty much useless actually not really protecting against much at all which isnt already covered by ssl. The problem with the OTP devices is they are only one way authentication. The MITB attacks defeat just about everything else available even recently the active mutual authentication electronic tokens. About the only online authentication method which isnt vulnerable is the passwindow cards as they are the only online authentication I know of capable of passive mutual authentication. (active means a human has to do something and then gets tricked by the torjan in the browser, passwive is where you just view and dont do anything except enter the password) http://en.wikipedia.org/wiki/Mutual_authentication