Quote:
Originally Posted by mittman84
But if its broken/lost you will have to wait for another one to ship before you have access to your account. Stars sends you a sheet of one time codes. That isn't any less secure, you can hide them away somewhere.
I suppose it's better for their business to help customers be able to access their account if they lose their token, but as someone who is aware of how RSA works this is kind of concerning. Based on cryptanalysis study of the RSA's SecurID Hash Function (the function that generates the key every 30 seconds), it can be possible to "break" (be able to predict) the RSA SecurIDs with enough plain text data. In other words, if someone were able to get ahold of that sheet of one time codes (have access to your email), they may be able to determine at least one vanishing differential of your hash function and thus "break" your RSA token and be able to predict all the "randomly" generated codes.
Before anyone gets too scared, there is only a 10% chance of being able to do this and that's with having two months of plaintext code. I don't know how many codes they send you, but stuff often takes many weeks to get sent to me from the Full Tilt store and people hit 9-1 shots agaisnt me all the time.
All that being said, I'm very happy about this RSA token being added and I will feel pretty close to 100% safe about my account now and was merely pointing out a
possible weakness to the system. And believe me, theres a lot more money to be made cracking RSA for things more important than a FT account and requires a significant amount of education in number theory and cryptography.
I may write up more about potential threats to the SecurID system in the future if anyone is interested.