I recently heard about an interesting twist on dial-back security. With
this product, a remote user dials a server and provides a user-id. This
server then calls a pager assigned to this person and provides a one-time
password. The person who initiated the call then uses the one-time
password from their beeper to complete the logon. This approach is
interesting to me for several reasons: 1) it could allow for the
elimination of the requirement for a separate hardware device or list of
one-time passwords that could be stolen or lost (or in the case of a paper
list, copied), 2) it supports mobility, i.e., the remote user is not
constrained to a fixed call back telephone number 3) it could be set up so
that one-time passwords were time sensative in that the password had to be
used during the same dialog in which it was requested OR if the requesting
call were a separate call from the one where the one-time-password was
used, then that the one-time-password has to be used within X seconds of
being issued 4) it some cases the beeper would already be something that
the remote user was using for other purposed. It would seem possible to me
that several variations on this concept might be made to better suit the
business requirents of the organization using it. For example, the number
originally called could be a toll-free number, e.g., an 800 number or the
initiating "call" could be based on another communication mechanism; the
central site, i.e., the modem pool location, could initiate a call back to
a number specified in the initial communication so as to have the cost of
the call billed to it; the number provided over the beeper call could be
an index value (use item X from your list of one-time-passwords) or a key
value that was further manipulated by the remote user prior to being used
as a one-time-password.
As I mentioned, I heard about this as a product announcement but it would
seem to me that using the main idea of using a beeper call to provide a
one-time-password, that there would be many possibilities for customizing
or integrating a solution.
**** cjolley @
net <Carl Jolley>
**** All opinions are my own and not necessarily those of my employer ****
On Wed, 26 Apr 1995, Kare Presttun wrote:
> > From: FV Admin mail <fvadmin @
> > Date: Tue, 25 Apr 1995 18:15:52 +0100
> > Subject: Re: Secure Modem Pool
> > > Generally, these kind of attacks work like this: a person trying to
> > > break in dials up the modem, and then simulates a hangup noise and
> > > dialtone WITHOUT ACTUALLY HANGING UP. The dialback modem thinks the
> > > line has hung up, picks up the line, dials, and waits for a carrier.
> > > The person supplies a carrier, and viola, connects to the system.
> > Well, that's just *broken*. Either that, or it's from the way-back days
> > when the callee couldn't hang up on a call if the caller stayed off
> > hook. Nowadays, there's no possible reason why a callback modem wouldn't
> > just hang up the line itself before picking up, listening for dial-tone,
> > and dialing.
> In most countries, if the caller stay off hook, the called side must
> must go on hook for 30 - 60 seconds to break the connection, so the
> trick described above works well. Calling back on a different line
> is the safe way, although I prefer strong authentication with one
> time passwords. If you have just one line, have the modem wait (on
> hook) for at least one minute before calling back.
> > The other means of breaking into a callback modem is to have the phone
> > company add call forwarding to the employee's phone (who checks?), have it
> > forwarded to the cracker's modem, and then call in. --Darren
> Yes, why not.
> * Kare Presttun Tel: +33 1 4058 5614 *
> * Alcanet International Fax: +33 1 4058 5945 *
> * 33, rue Emeriau Kare .
> * F-75015 Paris *
> * France *