Re: New security measures at the Cambridge Savings Bank

[Valdis.Kletnieks () vt edu]

On Tue, 31 Oct 2006 15:04:33 EST, "Richard M. Smith" said:

> To log onto a bank account, one still uses a username and password.
> However, the computer must also have a special "security" cookie set on the
> computer.  This cookie gets generated by the bank's Web site after someone
> answers a number of "secret" questions about their account.  An account can
> also be locked down to only work on one particular computer.  I'm not sure
> what happens if someone clears out their browser cookies.

Oh dear, another security scheme that provides zero additional benefit if the PC
in question has been pwned by any sort of keystroke logger or similar
spyware - at that point snarfing up all the cookies in addition to user/pass
is trivial.

Of course, to be fair, it's *really* hard to do something in a secure manner
when there's a very real non-zero chance that you're doing the computing on
a platform that's controlled by the adversary.

Anybody got good recent numbers on what % of PC's are essentially pwned by
spyware/adware/etc (include *any* software that's able to "phone home" to
update itself, as it means that added snoopware can be downloaded at any
arbitrary time)?

Attachment: _bin
Description:

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.