funsec mailing list archives
Re: NZ: Banks Demand a Look Inside Customer PCs in Fraud Cases
From: Bill Weiss <houdini+funsec () clanspum net>
Date: Thu, 28 Jun 2007 08:58:11 -0600
Jim Murray(jim () digitaldaemons co uk)@Thu, Jun 28, 2007 at 09:57:51AM +0100:
Dennis Henderson wrote:When will the customer have to have at least some responsibility for their action/inactions? I guess the person who invents the perfectly secure internet transaction will be the richest person on the planet. Imagine being able to conduct a secure pc based internet transaction with every kind of trojan and keylogger installed....Very simple, though I can't (unfortunately!) take credit for inventing it. Issue the customer with a numbered list of one-time passwords. For each transaction, have the bank computer require the use of one of those passwords, chosen at random. That way, no matter what trojans, sniifers or other garbage are on the PC the most they can capture is the password for one single transaction which instantly becomes useless for any future transactions.
Ok, so you type in your OTP. I MITM it and (while you're waiting for your login) log into your bank. Transfer some money to my anonymized swiss account from yours quickly, then log back out. Throw a "whups, password failed" screen at you and let you log in again without my MITM. How many users won't fall for that? -- Bill Weiss _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- NZ: Banks Demand a Look Inside Customer PCs in Fraud Cases Fergie (Jun 27)
- Re: NZ: Banks Demand a Look Inside Customer PCs in Fraud Cases B.K. DeLong (Jun 27)
- Re: NZ: Banks Demand a Look Inside Customer PCs in Fraud Cases Dennis Henderson (Jun 27)
- Re: NZ: Banks Demand a Look Inside Customer PCs in Fraud Cases Blue Boar (Jun 27)
- Re: NZ: Banks Demand a Look Inside Customer PCs in Fraud Cases Jim Murray (Jun 28)
- Re: NZ: Banks Demand a Look Inside Customer PCs in Fraud Cases Gadi Evron (Jun 28)
- Re: NZ: Banks Demand a Look Inside Customer PCs in Fraud Cases Nick FitzGerald (Jun 28)
- Re: NZ: Banks Demand a Look Inside Customer PCs in Fraud Cases Bill Weiss (Jun 28)
- Re: NZ: Banks Demand a Look Inside Customer PCs in Fraud Cases Dennis Henderson (Jun 28)
- Re: NZ: Banks Demand a Look Inside Customer PCs in Fraud Cases Dennis Henderson (Jun 27)
- Re: NZ: Banks Demand a Look Inside Customer PCs in Fraud Cases B.K. DeLong (Jun 27)
- Re: [off-list] Re: NZ: Banks Demand a Look Inside Customer PCs in Fraud Cases Dennis Henderson (Jun 27)
- Re: [off-list] Re: NZ: Banks Demand a Look Inside Customer PCs in Fraud Cases Valdis . Kletnieks (Jun 27)
- Re: [off-list] Re: NZ: Banks Demand a Look Inside Customer PCs in Fraud Cases Dennis Henderson (Jun 28)
- Re: [off-list] Re: NZ: Banks Demand a Look Inside Customer PCs in Fraud Cases Valdis . Kletnieks (Jun 28)
- Re: [off-list] Re: NZ: Banks Demand a Look Inside Customer PCs in Fraud Cases Dude VanWinkle (Jun 28)
- Re: [off-list] Re: NZ: Banks Demand a Look Inside Customer PCs in Fraud Cases Dennis Henderson (Jun 28)
- Re: [off-list] Re: NZ: Banks Demand a Look Inside Customer PCs in Fraud Cases Valdis . Kletnieks (Jun 28)