I am not associated with Magtek but at least they are offering a solution, you cant call it snake oil as it has been widely deployed (in Chile) and has worked quite well by all reports. Their technology security argument seems as strong as anyone else's argument. The question to you is whats the alternative? Magtek requires new read heads to be installed, EMV requires entirely new hardware and the new smartcards to go along with them which cost $2 a pop which by the million is no small change. The bank managers ive spoken to in emerging countries simply cannot justify the costs and neither solutions solve the biggest worry which is online CNP fraud. Until there is a better alternative solution banks must act on what they have in front of them now.

Regarding the personal attacks, ie hidden cameras etc actually I came up with a really simple solution, you tint the transparent background to a 75% darkness which appears almost black in normal lighting but then when placed over a electronic screen the key segments are clearly visible, most people just dont realise how bright the average screen is. From playing with it I know I would have a much easier time surveiling my OTP token screen with a hidden camera than the tinted key pattern. The best thing is that this doesnt cost any extra as the tinting is done with regular ink used to print other text on the cards. Of course if the attacker can get the card off you and out of your sight then with a light setup he will be able to take a photo of the card but in that scenario all devices fail. We have run the regular tinting through regular photocopiers which only saw black. The card factories are excited about reflective laminates and special angle viewable inks but of course that would all increase the cost so once again the security gain from these tricky solutions is only marginal compared to the free tinting idea (a similar situation with the electronic tokens) of course a purpose with a budget which is prepared to spend more than $1 per user could have special tinting effects for better protection.

I am letting clients choose their own tinting level based on their customer demographic and how likely they will be authenticating out in public. Ideally I would like to see tinting levels customized for individual users, ie if ($member_age>60) $tint = 40% etc

If you would like a sample card I am happy to mail a free one out to you if you put your details into the website contact form. Ultimately there will be alot of customizing going on for different uses and different levels of paranoia.

Regarding deductive trojan analysis of PassWindow, you are correct each time the token is used a tiny bit of probabilistic information is leaked in an ideal trojan attack. Since this is the only online attack the method faces everything fom the beginning is done to eliminate that specific threat. When we generate a new key and associated challenge data we assume a trojan is intercepting all the challenges and all the correct user responses. Since the combinatorics inference is entirely predictable we can deduce exactly how many interceptions an attacker would require to break the newly generated key pattern. By tweaking several parameters of the challenges without even increasing the key size we can easily achieve interception rates up over 10,000 interceptions which means that in an attack situation assuming a user authenticates or logs in once a day for 27 years the trojan still wouldnt have enough data to crack the key pattern. Much higher interception protection rates can be easily achieved however it is technically unecessary and indeed is adjustable on the fly to make sure the an assumed attacker never gets anywhere near enough information. Of course the server keeps a track of every key's number of authentications , its pre analysed interception crack number and the life expectancy of a card is usually no more than a few years so this method of attack doesnt appear to be feasible.

Of course the main security advantage over expensive electronic OTP tokens apart from the cost is the ability to do transaction authentication preventing all trojans from doing harm at a fundamental level without hassling the user to enter in transaction information into a large electronic authentication device.

Weve had an electronic version on the table for awhile but the costs / reliability dont seem to justify the theoretical security increase and the odd extra transaction possibilities over the simple printed approach. In the future it will definitely be released but the card technology as shown in the article isnt really quite there yet. While it looks cool for an OTP the reality is cards go in wallets and wallets go into backpockets under backsides which can place enormous pressure on the liquid screens. I am sure the technology will improve in the future.

Thanks for the commendation, if you have any questions or theoretical attacks I am happy to talk about them, its really a simple idea and in some ways the simplicity leaves an attacker little room to manoeuvre for an attack.

Yes I understand the Magtek solution was widely introduced in Chile and Argentina. I am not associated with the company and have no idea where its been implemented all I know is a bank manager there who implemented it said that cloning went to zero since they did, I like their cost effective solution to the problem which from the article above EMV which Europe has gone for is failing to solve. I dont disagree the OTP generators are not better than nothing and do add an extra step for the attacker but the trojans are taking that extra step and winning, often the use of OTP absolves the banks of any liability in the fraud so in some ways it could be worse than nothing. To be clear the article is a little misleading from the point of view the OTP security has nothing to do with stopping cards being cloned, its an online authentication system.

Ah cheers, thanks mate, its hard pushing an entirely new method in such a conservative industry but ive finally got some banks implementing it and some online service networks in Asia where security was important. (Not in Australia yet however) Actually since the show ive improved it enormously, the main discovery was that I can do transaction authentication which prevents any type of trojan attack at a fundamental level and give it a security edge over the electronic OTP devices many banks currently use. The other difference is that you would have seen the static challenges on the show with static digits however I figured out that by animating single digits in an animated gif any deduction analysis on the challenge becomes exponentially more difficult and usability seems to have improved. You can see a demo at http://www.passwindow.com/ I wanted to show it on the grand final episode but the producers of the show had rules about introducing new material. Thanks again for the support.

The OTP card shown in the article is purely used for online transactions. There is no hardware or method available for authenticating these OTP values in a personal way say at an ATM or a shop in these cases to prevent cloning they would opt to use the EMV secret key on the smartchip inside most cards, sadly there are ways around this too by tricking the devices that your card isnt running on the EMV standard so it goes into a non EMV mode. About the only solution which can fix the card cloning problem economically is the magtek.com method used in South America to cut cloning down to zero. They take a fingerprint of the background noise on the cards magnetic strip and then ad a special reader head to ATM's etc to check this fingerprint exists. The fingerprint is randomly created at time of manufacture and so is technically almost impossible to recreate.

No need to attack the algorithm, instead of running a keylogger just run a trojan which attacks the browser and MITB you way straight past this and other OTP devices. Zeus and most of the major trojans already do. While the device shows no information about WHAT they are authenticating its easy to get a user to authenticate whatever you like without spending any extra bucks.

Like all OTP devices including the RSA OTP tokens the modern trojans simply MITB Man-In-The-Browser their way past these devices including the electronic card pictured in the article. Most of the new trojans (Zeus etc) have this feature or module and they simply hijack the browser dll and then create a second connection in the background. Often the banks require a second OTP value to authenticate the outgoing transaction and so the trojans usually just bounce the user to a "session expired, please login again" page and use the new OTP to validate the outgoing transaction. My own method http://www.passwindow.com/ does OTP without electronics and at zero cost of implementation, but more importantly it can do transaction authentication (including transaction details into the challenge itself) without any extra requirement from the user (ie no requirements to enter in long transaction account details into a separate device). The trojans are unable to bypass transaction authentication and I know of no other online 2 factor authentication method which is as cheap or usable.

RSA tokens and in fact all OTP token devices are regularly defeated by most of the new trojans who simple MITB Man-In-The-Browser their way past them. Lookup Zeus for further info. The solution is transaction authentication which OTP devices cannot do.

You are right the merchants are getting hit probably just as hard as the banks with credit card fraud, I was thinking more of trojans like Zeus etc which are stealing users banking logins and then filtering money out of peoples accounts to their mules. This liability would or should fall squarely on the banks. The reality is we are probably all getting hit indirectly by this problem and it only seems to grow. Laziness can never be solved, agreed.

Dont be scarcastic, didnt you know its the lowest form of wit.

You have only given one reason and its not a security one. I would go with the one which offered me the best security and convenience, you didnt consider the inconvenience caused by having your accounts looted which the liability doesnt cover.

You do realise that shifting the liability onto the banks doesnt actually prevent the theft?. The users still pay for it one way or another and its not simply a matter of cost or inconvenience to the public but also the lack of faith in a inherently superior and more cost effective method, ie banking online instead of going to a branch.

Please define your vulnerability. If you are talking about the banks servers themselves being attacked I believe it is very very rare and it would be good if you could provide a reference. The vast majority of trojan cyber crime which is the issue here is performed against the users not the banks backend servers.

Call me defeatist but I believe there is no way the whitehats can out software manoeuvre the blackhats with software only solutions. The increasing complexity of modern systems ensures that the security holes will only grow not diminish. But maybe the next software "update" will solve all our problems this time?... The only permanent solution I can see is mass deployment of airgapped two factor tokens specifically for transaction authentication not generic OTP which the trojans are bypassing. This is the only security that I can guarantee what I am authenticating by looking at a airgapped device. I find it increasingly difficult to justify the performance loss for running anti malware software for the ever diminishing protection offered.

A cheap two factor solution like passwindow.com where the user tokens cost nothing to produce would be the best solution for mass deployment and more secure than most of the basic OTP electronic tokens which the trojans like Zeus are bypassing with MITB attacks. Anyone have any better ideas?

There would be no implementation costs as its just a printed pattern on a transparent region of the cards and the online authentication security exceeds the vast majority of electronic tokens, even being able to do transaction authentication to defeat MITM attacks.