From: Johnathan Corgan <jcorgan@aeinet.com>
Date: Sun, 31 Dec 1995 16:09:35 +0800
To: amp <C.deGroot@inter.nl.net>
Subject: Re: Australian "calculatorcard"
Message-ID: <199512310627.WAA11299@scruz.net>
MIME-Version: 1.0
Content-Type: text/plain


>sounds like the card i use for remote dialup to certain non-public
>systems i use at work. it has a six digit number on the front that
>changes every 60 seconds. the card is registered to me. when i enter
>my username/password i'm prompted for the number. it's Pretty Good
>(tm) security, but like anything not biometric, it is vulnerable to
>black-bag attacks. physical possession being all that is required. if
>you know the algorithm and the serial number of the card and the
>time, even that isn't necessary.
>
>
>CG> Can anybody provide me with pointers to more in-depth information
>CG> about this device and the algorithm(s) behind it ?
>
>i don't know if there are any net sources for them, but i'd be
>suprised if not. my card references "security dynamics" of cambridge
>massachusetts.

You are referring to the ACE/SecurID token card from Security Dynamics.

In addition to the displayed number, you should be prepending it with a
memorized PIN; this prevents operation in case of theft.  The server end
will disable the card after x failed attemps, etc.  Otherwise it is
basically a one-time password system.

I've had a business relationship with these folks for a year or so now--
sharp guys.