Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Proposal to anti-phishing

from [Lyal Collins] Network Security [Permanent Link]
Subject: RE: Proposal to anti-phishing
Date: Thu, 20 Jan 2005 06:22:59 +1100 



-----Original Message-----
From: Rogan Dawes [mailto:discard@dawes.za.net] 
Sent: Monday, 17 January 2005 7:14 PM
To: Florian Weimer
Cc: Rafael San Miguel; webappsec@securityfocus.com; 
Enrique.Diez@dvc.es
Subject: Re: Proposal to anti-phishing




[snip]



For an example, I look to the Dell Latitude D600, which comes with an 
integrated smart card reader. Maybe a good feature addition 
for the new 
LCD monitors would be a smart card reader slot, connected via 
USB. The 
more people use them, the more ubiquitous they will be, and the less 
"setup" will be required by new users/clients.


IBM, Compaq and HP have (at least in the past, as well as currently) also
offered similar capability.
But these are weak against keyboard sniffer trojans that also enact
authenticated transactions on behalf of the attacker.  We don't have a good
metric on how to detect 'bad' transacitons in this scenario - all
transactions received by the bank are constructed with the smartcard's keys.
This is turning the consumer's PC into the phishing target, not the bank
site pre se.

And then there are other issues, like which smartcard + pki + message format
must be supported by the PC, OS, and user's software.  And do all these
factors interoperate smoothly with all the other software a banking customer
may have.
Finally, there is the need to re-authenicate ever customer in order to issue
a new identifier in the form of the card.


Technically, a good idea.  Practically, and commercially, very hard and
expensive to do.  Requiring every on-line banking customer to buy a new
computer in order to use on-line banking is probably worse than giving
customers a new computer, something that does happen for high worth
individuals in a few rare cases.
 

We cannot just avoid the issue by saying that banks and 
clients "don't 
wannna!" go to the trouble of setting up a new device so they can be 
secure online.


I agree
First, we need to have both banks and customers say "we want better
security, its our problem, not someone elses"

We don't buy cars and houses without locks, doors and in some cases, alarms.
We buy letter boxes so the mailman doesn't pin our letters to the fence for
all to read. We all do these things, and have the minor inconvenience of
carrying keys (and possibly losing them) and remembering alrm codes to
prevent easy theft and misuse.
Why do banks expect consumers to take responsibility for a service the bank
is 'selling' which has no locks, doors or alarms, then complain about fraud
by and against those same customers?  

If on-line fraud were harder for criminals, they'd look at some other
channel or give up.

Lyal
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Exploits from command line?, Antoine Martin
Next by Date:  OWASP Washington, DC Local Chapter meeting set for 25 Jan, Matthew Chalmers
Previous by Thread:  Re: Proposal to anti-phishing, Rogan Dawes
Next by Thread:  Re: Proposal to anti-phishing, Rogan Dawes
Indexes:  [Date] [Thread] [Top] [All Lists]