Re: NZ: Banks Demand a Look Inside Customer PCs in Fraud Cases

["Dennis Henderson" <hendomatic () gmail com>]

On 6/28/07, Bill Weiss <houdini+funsec () clanspum net> wrote:
> Jim Murray(jim () digitaldaemons co uk)@Thu, Jun 28, 2007 at 09:57:51AM
> +0100:
> > Dennis Henderson wrote:
> > > When will the customer have to have at least some responsibility for
> > > their action/inactions?
> > >
> > > I guess the person who invents the perfectly secure internet
> > > transaction will be the richest person on the planet. Imagine being
> > > able to conduct a secure pc based internet transaction with every kind
> > > of trojan and keylogger installed....
> >
> > Very simple, though I can't (unfortunately!)  take credit for inventing
> it.
> >
> > Issue the customer with a numbered list of one-time passwords.
> > For each transaction, have the bank computer require the use of one of
> > those passwords, chosen at random.
> >
> > That way, no matter what trojans, sniifers or other garbage are on the
> > PC the most they can capture is the password for one single transaction
> > which instantly becomes useless for any future transactions.
>
> Ok, so you type in your OTP.  I MITM it and (while you're waiting for your
> login) log into your bank.  Transfer some money to my anonymized swiss
> account from yours quickly, then log back out.  Throw a "whups, password
> failed" screen at you and let you log in again without my MITM.
>
> How many users won't fall for that?




Its certainly in use today.

The whole MITM attack scene has been acknowledged as a valid threat vector.
I would imagine that it works best on those websites that have yet to
implement multifactor authentication  and fraud analysis technologies, etc..

Fortunately controls within the banks that actually consider this risk
vector would review this kind of transaction before allowing it to occur.
Not every bank does, but I know one that does.. :) Not that far diferent
from Discover calling you to ask about an unusual purchase you just made in
London..... only before the wire is allowed out.

Some banks are starting to treat money movement like the above mentioned
wire as something that needs extra controls(duh!). They are creating things
like call-backs, SMS messages to customer's cell phones with one-time-PINS
at the time of wire execution. Do these methods remove risk? NO. But they
certainly reduce it, for a while at least.

Banks need to figure out what risk level they're willing to assume, set the
expectations of those risks with the customers that accept the banks
requirements and stay on top of the changing threats. If a bank is willing
to provide a very risky service without requiring any special risk reducing
methodologies and controls, then they should budget for losses
accordingly.....


Managing risk is the goal on the ground. The success of that depends on
dozens of factors; skills, budget, regulations, what the customer wants vs
the risk of delivering that service, customers willingness to keep their
computer secure and use safe surfing habits....

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.