Not so sure about the fob gadget - anyone could have it.
Comments mix?
Interesting question.
Starting from the obvious assumption they already know your username and password ...
You're right about the fob. If someone got it and somehow got to know your PIN, then you're right, impersonating you would not be difficult. So to a certain degree I guess you could say a fob is equivalent to the old fashioned signature. Having said which, you could report loss of the fob and they could then block it on their systems.
Assuming the bank makes it sufficient hassle for your registered mobile number to be changed, then I certainly can see how you could argue SMS to be the better option of the two.
SMS does have the downside of being reliant on your phone and the existence of a signal. I suppose you could also argue the risk of interception ?
I suppose the summary is that its six of one or half a dozen of the other. Both SMS and the Fob do a great deal more for your security than a system that relies soley on username and password.
There are also fancy systems I've seen that don't use either fob or SMS but play clever tricks on the website (e.g. they display a random selection of images in a random order, only one image is your pre-selected image).
What about collisions? There must be many HMAC-SHA-1 values that truncate to the same HOTP number.
I suspect there's a very high chance of the same number being (eventually) generated since you're truncating the length and removing the hex element.
The answer most likely lies in the context, in that a collision attack is not a likely vector for an authentication mechanism of this sort. No doubt somebody will try it one day though I suppose (if they haven't already !).
(The main purpose of this sort of authentication mechanism being to avoid replay attacks and similar vectors. So one assumes the risk of a series of identical truncated results from the same fob is unlikely).