funsec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: NZ: Banks Demand a Look Inside Customer PCs in Fraud Cases

From: Bill Weiss <houdini+funsec () clanspum net>
Date: Thu, 28 Jun 2007 08:58:11 -0600
Jim Murray(jim () digitaldaemons co uk)@Thu, Jun 28, 2007 at 09:57:51AM +0100:

Dennis Henderson wrote:

When will the customer have to have at least some responsibility for
their action/inactions?

I guess the person who invents the perfectly secure internet
transaction will be the richest person on the planet. Imagine being
able to conduct a secure pc based internet transaction with every kind
of trojan and keylogger installed....


Very simple, though I can't (unfortunately!)  take credit for inventing it.

Issue the customer with a numbered list of one-time passwords.
For each transaction, have the bank computer require the use of one of
those passwords, chosen at random.

That way, no matter what trojans, sniifers or other garbage are on the
PC the most they can capture is the password for one single transaction
which instantly becomes useless for any future transactions.


Ok, so you type in your OTP.  I MITM it and (while you're waiting for your
login) log into your bank.  Transfer some money to my anonymized swiss
account from yours quickly, then log back out.  Throw a "whups, password
failed" screen at you and let you log in again without my MITM.

How many users won't fall for that?

-- 
Bill Weiss
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
Previous By Date Next
Previous By Thread Next

Current thread: