funsec mailing list archives
Re: [off-list] Re: NZ: Banks Demand a Look Inside Customer PCs in Fraud Cases
From: "Dennis Henderson" <hendomatic () gmail com>
Date: Thu, 28 Jun 2007 12:52:09 -0500
On 6/28/07, Valdis.Kletnieks () vt edu <Valdis.Kletnieks () vt edu> wrote:
On Thu, 28 Jun 2007 07:44:32 CDT, Dennis Henderson said: > So tell me what steps do you take to make sure your online banking > experience is a safe one? If you don't do online banking, then please don't > comment further in this thread. Actually, I do quite a bit of it - recognizing that it's not 100% safe, but that there's tradeoffs. My software and hardware config is such that there's reasonably low risk involved
Did you have to take a week of training to get it to that reasonably safe level? I doubt it. I know you're a very smart guy, but the skill it takes to get XPSP2 IE7 to a fairly reasonable level to deal with the major current threats is not that demanding. You hit the nail on the head. Reasonably low risk. Not absolute low risk. Security that keeps you on the edge of the bell curve. - I'm quite frankly usually more worried about
what that Applebee's employee is doing with my card while I'm paying for lunch.
So very true, but thats another story..
Is it so beneath you to provide positive > advice or commentary on *any* topic? OK. Here you go, I'll add a few just for you...
Don't visit *any* web site that includes material (banner ads, linked
images, and so on) from a third-party site, or that could possibly have been compromised since your last visit. Employ methods to prevent unpatched holes in your favorite browser from being used to exploit your machine. Unfortunately, neither of these is something that is easily doable by Joe Sixpack.
Again, following some very simple instructions cat get you to fairly reasonable security, not absolute security. I agree with what you say above. Its almost impossible for ALL people to do this not just Joe 6pack. But the 80/20 rule can be a very effective fraud reduction driver. Once you've covered those basics, the bleeding edge stuff that will bite the remainders poses a far less aggregate threat on the entire population.
Yes, it *helps*, but it certainly does *not* make the risk low enough that one should judge that it *must* have been the user's fault somehow, for actually using the machine for what the operating system vendor and the bank both advertised as a reasonably safe activity - using the computer to surf the web and do electronic business and financial transactions.
Well, I guess if it came to a court case, the Bank would hopefully have the right to examine the computer to make sure that it was not comped when the transaction occured. Probably folly anyway since a court case might not come to trial for months. Fortunately most banks are going to go that far yet as the phobia of publicity far outweighs the fear of placing some cash in a loss column...
0days are still a minor vector compared to what's keeping the online
banking
fraud cartels alive.
|Again, the fact that unpatched holes that people don't know about and can't |easily defend themselves against may be 5% of the total doesn't mean that |it's 0% and you can readily assign blame to the consumer. Agreed. It would have to be solved either by litigation or simply quietly refunding the persons money. You can bet that most banks wont let it happen more than twice. Its just that today, those 0days are out there on the edge and don't comprise the aggregate threat that we face. The recent .it website attacks definitely got a lot of peoples attention as it might be signalling a change in direction of the attack vector. Well this thread is old enough to vote so its time to kill it...
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Re: NZ: Banks Demand a Look Inside Customer PCs in Fraud Cases, (continued)
- Re: NZ: Banks Demand a Look Inside Customer PCs in Fraud Cases Jim Murray (Jun 28)
- Re: NZ: Banks Demand a Look Inside Customer PCs in Fraud Cases Gadi Evron (Jun 28)
- Re: NZ: Banks Demand a Look Inside Customer PCs in Fraud Cases Nick FitzGerald (Jun 28)
- Re: NZ: Banks Demand a Look Inside Customer PCs in Fraud Cases Bill Weiss (Jun 28)
- Re: NZ: Banks Demand a Look Inside Customer PCs in Fraud Cases Dennis Henderson (Jun 28)
- Message not available
- Re: [off-list] Re: NZ: Banks Demand a Look Inside Customer PCs in Fraud Cases Dennis Henderson (Jun 27)
- Re: [off-list] Re: NZ: Banks Demand a Look Inside Customer PCs in Fraud Cases Valdis . Kletnieks (Jun 27)
- Re: [off-list] Re: NZ: Banks Demand a Look Inside Customer PCs in Fraud Cases Dennis Henderson (Jun 28)
- Re: [off-list] Re: NZ: Banks Demand a Look Inside Customer PCs in Fraud Cases Valdis . Kletnieks (Jun 28)
- Re: [off-list] Re: NZ: Banks Demand a Look Inside Customer PCs in Fraud Cases Dude VanWinkle (Jun 28)
- Re: [off-list] Re: NZ: Banks Demand a Look Inside Customer PCs in Fraud Cases Dennis Henderson (Jun 28)
- Re: [off-list] Re: NZ: Banks Demand a Look Inside Customer PCs in Fraud Cases Valdis . Kletnieks (Jun 28)
- Re: [off-list] Re: NZ: Banks Demand a Look Inside Customer PCs in Fraud Cases Dude VanWinkle (Jun 28)