Firewall Wizards mailing list archives
Re: Transitive Trust: 40 million credit cards hack'd
From: Kevin <kkadow () gmail com>
Date: Mon, 20 Jun 2005 18:35:09 -0500
On 6/20/05, Paul D. Robertson <paul () compuwar net> wrote: On Mon, 20 Jun 2005, Behm, Jeffrey L. wrote:
True, Marcus, but not everyone _does_ use 2 factor auth. So, at this point, it can be effective. You don't gotta outrun the bear, just the guy next to you.That assumes (1) a single bear OR (2) that you can outrun the bear in the time it takes it to disable the other target. Autonomous malcode changes that equation, as does semi-random targeting.
OTOH, attacking tokens and other OTP schemes requires a whole different toolkit (a "better bear"), while the current crop of keyloggers and phishing is working fine as "store and forward" attacks where they can assume the credentials they log will be valid for quite some time.
Now, personally, I'm all for making most of the current crop of attacker tools outdated, not because I think it'll make us safe, but because it'll force attackers to keep up, and I'd rather they not be provided the option of being lazy if we all have to work too.
So long as there are plenty of easy targets which do NOT require a better bear, the attackers will tend to go after the easy targets, and not bother to write tools which can be effective against tokens and OTP and other hardened targets. The American black bear is capable of eating porcupines, but so long as the supply of nuts and berries is plentiful, the bears leave them alone.
But more importantly, two factor authentication starts to provide a really good base for accountability- and THAT is what we *need*.
Shhh! Accountability may be the only real advantage that 2-factor has over old-fashioned reusable passwords, but if the users get wind that the real reason they are being issued tokens isn't to protect *them* but rather to protect *us*, we will have a revolt on our hands :) Take for example the SecurID tokens issued by E*Trade and AOL. Does anybody really believe that E*Trade is giving their customers "free" tokens to help protect the user from hackers, rather than to protect E*Trade from users who say "I didn't make that losing trade, my account must have been hacked, refund my losses!"? It's all about audit trails and non-repudiation, if there is any advantage to personal privacy, that's just an unintended side-effect. Kevin Kadow _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: Transitive Trust: 40 million credit cards hack'd Behm, Jeffrey L. (Jun 20)
- Message not available
- RE: Transitive Trust: 40 million credit cards hack'd Marcus J. Ranum (Jun 20)
- Re: Transitive Trust: 40 million credit cards hack'd Adam Shostack (Jun 20)
- RE: Transitive Trust: 40 million credit cards hack'd Bill Sharrock (Jun 29)
- RE: Transitive Trust: 40 million credit cards hack'd Marcus J. Ranum (Jun 20)
- Message not available
- RE: Transitive Trust: 40 million credit cards hack'd Paul D. Robertson (Jun 20)
- Re: Transitive Trust: 40 million credit cards hack'd Kevin (Jun 20)
- RE: Transitive Trust: 40 million credit cards hack'd Brian Loe (Jun 21)
- Re: Transitive Trust: 40 million credit cards hack'd Kevin (Jun 21)
- Re: Transitive Trust: 40 million credit cards hack'd Kevin (Jun 20)
- <Possible follow-ups>
- RE: Transitive Trust: 40 million credit cards hack'd Richards, Jim (Jun 20)
- RE: Transitive Trust: 40 million credit cards hack'd Eugene Kuznetsov (Jun 20)
- RE: Broken Analogies (was: Transitive Trust) Ben Nagy (Jun 21)
- RE: Broken Analogies (was: Transitive Trust) Brian Loe (Jun 21)
- RE: Transitive Trust: 40 million credit cards hack'd Eugene Kuznetsov (Jun 20)
- RE: Transitive Trust: 40 million credit cards hack'd Paul Melson (Jun 21)
- Re: Transitive Trust: 40 million credit cards hack'd Kevin Sheldrake (Jun 30)