VTB 24. Telebank Security
I have been using the VTB24 telebank for a long time.
Two protection schemes are offered for operation - a variable code card and a digital certificate (in conjunction with the Inter-PRO software).
I use a variable code card, and each time signing payments in a bank, I listen to a lecture on how I will feel good if I switch to using a digital certificate.
It is more convenient to work with the variable code map for a banal reason - the telebank can be used on any device, including where there is no possibility to install the required software. The brightest examples are a computer in an Internet cafe (or away), a communicator, an incorrect OS (as was rightly noted in the comments).
The main advantage of a digital signature is increased payment limits and enhanced security. Just security and I have strong doubts about what I want to share with you,% username%, my thoughts.
Below are the advantages of using a digital signature from a bank leaflet .
1. You can be sure that you have connected to VTB24, and not to a site very similar to it.
2. The hacker will not suit you to attack Man in the middle (aka "Man in the middle")
3. to the server VTB24 will not connect under the guise of a client, an evil hacker
')
Consider these points in the context of two schemes - variable codes and a digital certificate.
Items 1 and 2 are actually 90% similar. In fact, it all comes down to a comparison: SSL versus ... some kind of protocol. “Some sort of protocol” is probably more robust to “Man in the middle”, because the session is encrypted from the very beginning (not exactly sure, but otherwise the shamanism with Inter-PRO loses all meaning).
Point 3, in my opinion, is the main stone in the garden of "enhanced security". I propose to compare what the desired hacker should do in either case in order to connect as a client.
Digital certificate. The certificate itself is stolen by a trojan. If it is protected by some password, then the trojan should be able to steal your password. Nothing supernatural.
Map. We must steal the password, again a trojan. But, attention - the password is useless without an offline (and in general not digital in its essence) card. Hacker need to get hold of your card.
So, in points 1 and 2, the digital certificate wins. In paragraph 3 - the code card. A comparison of security schemes is reduced to a comparison of the likelihood of possible attacks.
What do you believe more - in the mythical hacker, sitting between you and the bank, which is wedged into your SSL connection with the bank or a trojan that steals your certificate?
I made my choice - I do not believe in the mythical hacker, but I believe in a trojan. My choice is a variable code map.
PS After writing, I showed the article to my wife, and she said that when using the circuit with Inter-PRO, it also takes a couple of months to enter the code from the variable code card. Everything falls into place. But I will stay on the current scheme because of the communicator.
Two protection schemes are offered for operation - a variable code card and a digital certificate (in conjunction with the Inter-PRO software).
I use a variable code card, and each time signing payments in a bank, I listen to a lecture on how I will feel good if I switch to using a digital certificate.
It is more convenient to work with the variable code map for a banal reason - the telebank can be used on any device, including where there is no possibility to install the required software. The brightest examples are a computer in an Internet cafe (or away), a communicator, an incorrect OS (as was rightly noted in the comments).
The main advantage of a digital signature is increased payment limits and enhanced security. Just security and I have strong doubts about what I want to share with you,% username%, my thoughts.
Below are the advantages of using a digital signature from a bank leaflet .
1. You can be sure that you have connected to VTB24, and not to a site very similar to it.
2. The hacker will not suit you to attack Man in the middle (aka "Man in the middle")
3. to the server VTB24 will not connect under the guise of a client, an evil hacker
')
Consider these points in the context of two schemes - variable codes and a digital certificate.
Items 1 and 2 are actually 90% similar. In fact, it all comes down to a comparison: SSL versus ... some kind of protocol. “Some sort of protocol” is probably more robust to “Man in the middle”, because the session is encrypted from the very beginning (not exactly sure, but otherwise the shamanism with Inter-PRO loses all meaning).
Point 3, in my opinion, is the main stone in the garden of "enhanced security". I propose to compare what the desired hacker should do in either case in order to connect as a client.
Digital certificate. The certificate itself is stolen by a trojan. If it is protected by some password, then the trojan should be able to steal your password. Nothing supernatural.
Map. We must steal the password, again a trojan. But, attention - the password is useless without an offline (and in general not digital in its essence) card. Hacker need to get hold of your card.
So, in points 1 and 2, the digital certificate wins. In paragraph 3 - the code card. A comparison of security schemes is reduced to a comparison of the likelihood of possible attacks.
What do you believe more - in the mythical hacker, sitting between you and the bank, which is wedged into your SSL connection with the bank or a trojan that steals your certificate?
I made my choice - I do not believe in the mythical hacker, but I believe in a trojan. My choice is a variable code map.
PS After writing, I showed the article to my wife, and she said that when using the circuit with Inter-PRO, it also takes a couple of months to enter the code from the variable code card. Everything falls into place. But I will stay on the current scheme because of the communicator.
Source: https://habr.com/ru/post/78272/
All Articles