[ravel-bar-foo]

It is worth mentioning that to make a bank transfer in Korea (used to[1]) require 3 factor authentication: the user's website password, the user's PIN, the user's encryption certificate signature/공인인증서, and two randomly selected codes from a paper numbers card (보안카드: https://file2.nocutnews.co.kr/newsroom/image/2013/07/02/2013...), which users are instructed to never copy or digitize.

Of all these solutions, the numbers card gives me the most peace of mind: even if my machine is fully compromised and all my passwords and certificates stolen, the attacker would likely need very long-term access (or access to the bank's server) to get all 35 numbers from the card. (If the attacker compromises the card by attacking the bank, I trust attackers will reveal themselves going after larger accounts). As long as I keep this piece of laminated plastic private and visit a bank branch to replace it every 17 to 35 transactions, I can have some peace of mind, at least regarding my bank account.

[1] There have since been efforts to streamline mobile payments, which I avoid because it leaves the phone as a single point for compromise.

[gruez]

>Of all these solutions, the numbers card gives me the most peace of mind: even if my machine is fully compromised and all my passwords and certificates stolen, the attacker would likely need very long-term access (or access to the bank's server) to get all 35 numbers from the card

I think you're overestimating how much security this provides and missing a very simple workaround: the attacker can simply wait until you preform a transfer, and then replace the intended recipient detail with theirs. For instance, if alice was sending funds to bob, and the attacker controls the machine, they can simply replace the recipient to malory, while still displaying bob to the user.

[ravel-bar-foo]

You're right. The machine remains a big single vulnerability. However, there is a process to catch this: one (used to?) have the option to get a text by SMS following the transfer. This (used to) list the recipient. For whatever reason I haven't gotten a text like this in a few years. Probably my bank disabled it to push people to their mobile app.

[maxgashkov]

btw, this paper card approach was replaced by physical hardware OTP tokens (lasting multiple years until they have to be replaced), it’s as secure as the supply chain (which is also a factor for paper cards), so I’m not sure why Korea still clings to this as tokens are obviously a net gain in ops cost

[kijin]

I dunno where you got the idea that South Korea still clings to paper-based number cards, but OTP tokens have been in use for the better part of a decade here. Nowadays you don't even need hardware tokens, since it's considered OK to replace them with mobile apps that use TPM to manage keys.

[maxgashkov]

I’ve got the idea from the parent comment obviously. It’s cool that the practice of paper cards is not as widespread as I thought after reading it.

[ravel-bar-foo]

Sorry about that. My bank still provides me with cards. I never asked about a OTP dongle and I don't want to enable mobile banking, so cards it is. But almost everyone in Korea (who isn't paranoid about a single compromised device) is now on mobile banking, rather than website banking.

[jszymborski]

The Canada Revenue Agency does something similar, where instead of TOTP they ask you to print a grid of alphanums and they ask you for combinations.

The only problem is I think they're only good for a couple months at which point you need to do verification by mailed token which is a royal pain in the ass

[zinekeller]

As pointed out, legislation detailing the exact measures needed to be done. I guess they copied over the idea of European TANs but they never found out about hardware OTPs.