Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Proposal to anti-phishing

from [exon] Network Security [Permanent Link]
Subject: Re: Proposal to anti-phishing
Date: Wed, 19 Jan 2005 10:08:04 +0100
Michael Silk wrote: 
Florian said:

It's acceptable neither to customers nor to banks. These days, zero-setup online banking is an absolute must. 


Not for corporate customers ...



Not for anyone. In Sweden, where I live, all banks have online banking. One tried to do a zero setup version, but people wouldn't use it because it didn't feel secure. The rest of the banks use one of the two following systems;
1/ DigiPass (about the size of a flattened matchbox).
When you log in to your bank, you need to produce your login name (social security number or something auto-assigned) and then the bank will challenge you with one or multiple series of numbers, which you enter into the digipass to get another series of digits that you enter back to the bank before you're logged in. Once logged in, you still can't transfer money just anywhere. You have to set up and sign a recipient account, and you have to sign each set of transfer including transfers to any account except those which you have unshared access to. Each digipass is sent by mail to the recipient, accompanied by a note stating that you need to visit a bank office to activate it properly. The digipass activation code is sent in a different envelope one week after the digipass box.
The digipass box is pin-protected. The pin must be entered for each new signing, and three bad pins locks it completely, in which case you must get a new from the bank (about $10). If you break it open, you'll break the ROM inside (a da Vinci construction, actually).

2/ Scratchcard
Same as above, really, except that you read all your codes from a small scratch ticket with a series of numbers. Each ticket contains about 20 codes, and when there are only three left a new card is sent automatically by the bank. This is far less secure, as anyone can use the card if they steal it from you.

The point with this is that while these solution might seem cumbersome, customers won't actually touch their money online without them. Perhaps that's just us swedes being security minded, but I believe any banking customer would agree to it if the bank simply explained that it's needed so noone can rob the customer blind.

Cheers

/exon

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: SQL injection, John McGuire
Next by Date:  Re: SQL injection, exon
Previous by Thread:  RE: Proposal to anti-phishing, Michael Silk
Next by Thread:  RE: Proposal to anti-phishing, Michael Silk
Indexes:  [Date] [Thread] [Top] [All Lists]