RSA Incident Neboulous

Intruders may have stolen data pertaining to RSA one time password (OTP) tokens. However, RSA won't tell the general public what has happened. There is a support note which is accessible only to customers.
OTP uses keys that need to remain secret, but I don't think these keys have been stolen.

Credit Card Abuse, Again

Employees of a call center in Bremen, Germany allegedly have abused the credit cards of customers of British Airways. This has been reported be the TV magazine "buten un binnen". A team manager has been arrested. Certainly this is only the tip of the iceberg.

It is well known and accepted that credit cards offer no security all. Users will reclaim their money, if they read their credit card statement. Fraud costs will be distributed to the general public via insurances and merchant fees.

However, a normal smart card won't fix this because it can't be used with a call center. The only viable options here are the internet with secure online banking and OTP. Both options require that dedicated security hardware is used by the end customer. There is no free lunch.

Real Time Keylogging

According to New York Times the trojan Clampi is able to send key presses in real time. This means that it can be used to attack one time password (OTP) systems.

From here on, it seems necessary to consider a more complex mode of OTP known as EMV CAP respectively Visa DPA. Here a challenge is sent from the server which is signed by a smart card. Therefore the attacker cannot submit the stolen OTP signature for any other purpose than it was originally intended for.