funsec mailing list archives

Re: The end of Phishing in sight?

From: Tom Van Vleck <thvv () multicians org>
Date: Tue, 18 Oct 2005 17:39:10 -0400

On Oct 18, 2005, at 5:00 PM, Blanchard_Michael () emc com wrote:

I certainly agree that spyware running on a victim's machine cancircumvent
any protection that is put in place.


The "right way" to do this is with a display and input on the
trusted device.  Then you can work out a protocol where the token
displays the transaction and the user confirms it, and the PC
becomes just another part of the untrusted network.  This was our
conclusion when I worked at CyberCash on the SET protocol some
years back.

Perhaps online banks should make it mandatory to run a spywareprogram andan antivirus program before activating an online banking account?Although
this gets very hairy, very quickly.  But there are enough free spyware
checkers that are better than non-free versions, and there are afew AVproducts that are "good enough" for banking and are free. Perhapsonlinebanks should just make a very stern recommendation that users runthese
programs, and make it sound like they are required to use the online
bank.....


Free checkers for all operating systems or just One Chosen OS?  I can
see it now, bank insists that I run a buggy insecure OS in order to
run a spyware checker that "fixes" the problems the buggy insecure OS
caused in the first place.

How bout an online bank that just refuses to work with certain products

and operating systems known to be insecure? ie 90% of the market?Oops.


The Trusted Computing stuff is another approach.  Conceal within
the user's PC what is basically a second computer, with its own
hypervisor and a trustable OS.  Then the bank and the TPM can exchange
crypto and do stuff.  Nice thing about that is that it can be much
more powerful than a smartcard.   You believe that one?



_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

Current thread:

RE: The end of Phishing in sight?, (continued)
- RE: The end of Phishing in sight? Henderson, Dennis K. (Oct 18)
- The end of Phishing in sight? Gary Warner (Oct 18)
  - Re: The end of Phishing in sight? Valdis . Kletnieks (Oct 18)
  - RE: The end of Phishing in sight? Richard M. Smith (Oct 18)
    - Re: The end of Phishing in sight? Blue Boar (Oct 18)
- RE: The end of Phishing in sight? Blanchard_Michael (Oct 18)
  - RE: The end of Phishing in sight? Richard M. Smith (Oct 18)
    - Re: The end of Phishing in sight? Blue Boar (Oct 18)
    - RE: The end of Phishing in sight? Jeff Rosowski (Oct 18)
- RE: The end of Phishing in sight? Blanchard_Michael (Oct 18)
  - Re: The end of Phishing in sight? Tom Van Vleck (Oct 18)
- RE: The end of Phishing in sight? Henderson, Dennis K. (Oct 18)
- Re: The end of Phishing in sight? Fergie (Paul Ferguson) (Oct 18)
- Re: Re[4]: The end of Phishing in sight? Dr. Neal Krawetz (Oct 19)
  - Re[6]: The end of Phishing in sight? Pierre Vandevenne (Oct 19)