Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Proposal to anti-phishing

from [Rogan Dawes] Network Security [Permanent Link]
Subject: Re: Proposal to anti-phishing
Date: Wed, 19 Jan 2005 11:59:24 +0100
Michael Silk wrote: 
I think it is a reasonable thing to say to users when the certificate is
issued to them:

We will NOT EVER ask you for any other authentication information on our
web site. This certificate is the only way that you authenticate to us
on the Internet. If you ever see our bank web site asking you for your
authentication information, please report it immediately to our security
department.



But how will it be said? On paper? It will be ignored. Over the phone?
Forgotten. In person ? Probably ignored. Nailed to their forehead ?
...


Every time they connect to the website, it could be displayed to the user?

Ah yes, of course. Then we face the problem of users having lots of
these little devices ... or losing them, or insecure use (leave in
slot), etc ...


Well, it is possible for a single token to contain multiple
certificates/private keys, so it does not HAVE to lead to proliferation.
And of course, a number of banks are issuing smart card based credit
cards and debit cards. I wonder how big a leap it would be for the banks
to include a private key on the card, too.



But then you are creating more problems for the poor customer who
loses his card. Not only does he now have to worry about his credit
limit being maxed, but all his savings stolen too...


Not if the user has to enter a PIN to access the certificate on the card.

I would like to think that people would not leave their credit cards in
the slot when they are finished, as they asociate the credit card with
physical security (keep it with me).



And I'd like to think that users would lock their workstations when
they wander around the office, or, or, or ...

The slots would have to beep very annoyingly to remind the user to
take it out (a la ATMs) otherwise they would most definately forget.

The website could remind the user to pull the card out when they are finished. And a PIN timeout could prevent the card from being usable for extended periods, even if the screensaver is not enabled.

Even still, how many people would leave their wallets at their desk (I
do).

That's fine, if you like people to help themselves to the cash in your wallet. ;-)

What about women (not to get sexist here ...:)) but I don't see
them carrying their purse around the office :)


True, but they do at least tend to put them into a drawer or cupboard.


-- Michael



Rogan
--
Rogan Dawes

*ALL* messages to discard@dawes.za.net will be dropped, and added
to my blacklist. Please respond to "lists AT dawes DOT za DOT net"

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Smart card proposal, Rogan Dawes
Next by Date:  Re: SQL injection, Serg Belokamen
Previous by Thread:  Re: Proposal to anti-phishing, Michael Silk
Next by Thread:  RE: Proposal to anti-phishing, Michael Silk
Indexes:  [Date] [Thread] [Top] [All Lists]