Re: Proposal to anti-phishing

[Rogan Dawes <discard () dawes za net>]

Michael Silk wrote:
> > I think it is a reasonable thing to say to users when the certificate is
> > issued to them:
> >
> > We will NOT EVER ask you for any other authentication information on our
> > web site. This certificate is the only way that you authenticate to us
> > on the Internet. If you ever see our bank web site asking you for your
> > authentication information, please report it immediately to our security
> > department.
>
>
> But how will it be said? On paper? It will be ignored. Over the phone?
> Forgotten. In person ? Probably ignored. Nailed to their forehead ?
> ...

Every time they connect to the website, it could be displayed to the user?

> > > Ah yes, of course. Then we face the problem of users having lots of
> > > these little devices ... or losing them, or insecure use (leave in
> > > slot), etc ...
> >
> > Well, it is possible for a single token to contain multiple
> > certificates/private keys, so it does not HAVE to lead to proliferation.
> > And of course, a number of banks are issuing smart card based credit
> > cards and debit cards. I wonder how big a leap it would be for the banks
> > to include a private key on the card, too.
>
>
> But then you are creating more problems for the poor customer who
> loses his card. Not only does he now have to worry about his credit
> limit being maxed, but all his savings stolen too...

Not if the user has to enter a PIN to access the certificate on the card.

> > I would like to think that people would not leave their credit cards in
> > the slot when they are finished, as they asociate the credit card with
> > physical security (keep it with me).
>
>
> And I'd like to think that users would lock their workstations when
> they wander around the office, or, or, or ...
>
> The slots would have to beep very annoyingly to remind the user to
> take it out (a la ATMs) otherwise they would most definately forget.

The website could remind the user to pull the card out when they are 
finished. And a PIN timeout could prevent the card from being usable for 
extended periods, even if the screensaver is not enabled.
> Even still, how many people would leave their wallets at their desk (I
> do). 

That's fine, if you like people to help themselves to the cash in your 
wallet. ;-)

> What about women (not to get sexist here ...:)) but I don't see
> them carrying their purse around the office :)

True, but they do at least tend to put them into a drawer or cupboard.

> -- Michael

Rogan
--
Rogan Dawes

*ALL* messages to discard () dawes za net will be dropped, and added
to my blacklist. Please respond to "lists AT dawes DOT za DOT net"