Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Proposal to anti-phishing

from [Rogan Dawes] Network Security [Permanent Link]
Subject: Re: Proposal to anti-phishing
Date: Mon, 24 Jan 2005 09:18:14 +0100
Lyal Collins wrote:

-----Original Message-----
From: Rogan Dawes [mailto:discard@dawes.za.net] Sent: Monday, 17 January 2005 7:14 PM
To: Florian Weimer
Cc: Rafael San Miguel; webappsec@securityfocus.com; Enrique.Diez@dvc.es
Subject: Re: Proposal to anti-phishing




[snip]


For an example, I look to the Dell Latitude D600, which comes with an integrated smart card reader. Maybe a good feature addition for the new LCD monitors would be a smart card reader slot, connected via USB. The more people use them, the more ubiquitous they will be, and the less "setup" will be required by new users/clients. 


IBM, Compaq and HP have (at least in the past, as well as currently) also
offered similar capability.
But these are weak against keyboard sniffer trojans that also enact
authenticated transactions on behalf of the attacker.  We don't have a good
metric on how to detect 'bad' transacitons in this scenario - all
transactions received by the bank are constructed with the smartcard's keys.
This is turning the consumer's PC into the phishing target, not the bank
site pre se.

Yes, this is obviously the next weak point. Virus writers would tap into the smart card reader and wait for notification that a smart-card has been inserted, or unlocked, before trying to execute a transaction based on the name of the bank issuing the certificate.

All I can say here is that users need to be more responsible for the security of their own computers. OR, banks can strike up agreements with AV vendors to make a "managed" AV service available to their customers.


And then there are other issues, like which smartcard + pki + message format
must be supported by the PC, OS, and user's software.  And do all these
factors interoperate smoothly with all the other software a banking customer
may have.
Finally, there is the need to re-authenicate ever customer in order to issue
a new identifier in the form of the card.

So long as the smartcard supports PKCS#11, there should be no problem interacting with it.

The PKI software chosen by the bank should be irrelevant, as it still produces certificates in the standard X.509 formats.

Message format can be specified by the online application, as it does not have to interact with anyone else, other than that single online application.



Technically, a good idea.  Practically, and commercially, very hard and
expensive to do.  Requiring every on-line banking customer to buy a new
computer in order to use on-line banking is probably worse than giving
customers a new computer, something that does happen for high worth
individuals in a few rare cases.

I'm not suggesting for a second that people will HAVE to buy a new computer. You can buy a smart-card reader for les than USD30. No need for a new computer, if you already have one.

My point was that IF manufacturers start shipping computers with a smart-card reader already part of the PC, and with drivers already installed as part of the OS installation, then we start approaching the "zero-setup" that was originally posited as the "Holy Grail".

We cannot just avoid the issue by saying that banks and clients "don't wannna!" go to the trouble of setting up a new device so they can be secure online. 

I agree
First, we need to have both banks and customers say "we want better
security, its our problem, not someone elses"

We don't buy cars and houses without locks, doors and in some cases, alarms.
We buy letter boxes so the mailman doesn't pin our letters to the fence for
all to read. We all do these things, and have the minor inconvenience of
carrying keys (and possibly losing them) and remembering alrm codes to
prevent easy theft and misuse.
Why do banks expect consumers to take responsibility for a service the bank
is 'selling' which has no locks, doors or alarms, then complain about fraud
by and against those same customers? 

If on-line fraud were harder for criminals, they'd look at some other
channel or give up.

From experience, I'd go with the former, rather than the latter option. I'm just concerned about the new channel they will find.

(Better car alarms reduced car-theft, but the hijacking rate increased instead. Personally, I'd rather they just took the car than me with it.)


Lyal 

Rogan
--
Rogan Dawes

*ALL* messages to discard@dawes.za.net will be dropped, and added
to my blacklist. Please respond to "lists AT dawes DOT za DOT net"

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Proposal to anti-phishing, Robert Hajime Lanning
Next by Date:  RE: Smart card proposal, Richard M. Smith
Previous by Thread:  RE: Proposal to anti-phishing, Lyal Collins
Next by Thread:  RE: Proposal to anti-phishing, Lyal Collins
Indexes:  [Date] [Thread] [Top] [All Lists]