WebApp Sec mailing list archives
Re: Proposal to anti-phishing
From: Jimi Thompson <jimi.thompson () gmail com>
Date: Fri, 21 Jan 2005 00:23:34 -0600
<SNIP>
Zero-setup online banking will be possible again (with SSL client certs, hear me beat the drum once more) once enough clients have smart card readers as standard equipment, properly integrated with the operating system and the browsers. For an example, I look to the Dell Latitude D600, which comes with an integrated smart card reader. Maybe a good feature addition for the new LCD monitors would be a smart card reader slot, connected via USB. The more people use them, the more ubiquitous they will be, and the less "setup" will be required by new users/clients.
</SNIP> Why not use something like the Rainbow Ikey that uses a USB connection which virtually every computer has nowdays? It too is an EPROM with a PKI public/private key pair. That way there's not extra hw to install and you don't have to wait for the item to percolate through the market place. Remember betamax? Consumer are used to carrying around bar code tabs for their shopping/store club/discount/credit cards and such on their key chains, why not that too? The caveat is this - all authentication is based on one of 2 things - something you have (token, thumb print, etc.) or something you know (PIN, password, etc.). The "something you have" can be stolen. Right now, we have people going after the "something you know" by placing devices on ATM machines to record information, identity theft on line, phishing for id10ts, etc. Now instead of realatively non-violent (although highly annoying) crimes like phishing, we'll see an escalation in muggings, purse snatchings, and the general category of beating people up and taking their stuff. As an aside, my big fear with biometrics is that some criminal groups will start cutting off pertinent pieces of people in order to gain access to accounts. Before someone pipes up and says that it'll never happen, I can tell you from personal eye-witness experience that there are more than a few people on this planet who are perfectly willing to cut off another person's hand or fingers to get their rings, watch, bracelet, etc. If they'll do it for some jewelry, which will hock at the pawn shop for about $20, they'll definitely do it get into your checking account. One thing that I've not seen discussed here is non-repudiation. Non-repudiation was a major portion of the last PKI wg. It's very important in dealing with legal and money matters. What do you when my on line identity gets used and I say it wasn't me? Just how good is your system? Will it stop me from buying a Lexus or transferring all my money to the Cayman Islands and saying that I didn't? While I agree with the "zero setup" stuff, it's probably not legal in the USA. We have laws that require you physically show identification and few other things when opening a checking account. There are more laws that require the reporting of large sums of money. This is to prevent the laundering of drug money (for example) as well as other illegal activites. The federal laws are pretty minimal, but some states have stricter laws about this. Any bank that isn't doing something to physically look at ID's is probably in voilation of something. I admit that these aren't well inforced but they should be. 2 cents (as usual) -- Thanks, Jimi
Current thread:
- Re: Proposal to anti-phishing, (continued)
- Re: Proposal to anti-phishing Rogan Dawes (Jan 24)
- RE: Proposal to anti-phishing Lyal Collins (Jan 24)
- Re: Proposal to anti-phishing Rogan Dawes (Jan 24)
- Re: Proposal to anti-phishing Griffiths, Ian (Jan 24)
- RE: Proposal to anti-phishing Lyal Collins (Jan 24)
- RE: Proposal to anti-phishing Lyal Collins (Jan 24)
- RE: Proposal to anti-phishing lists (Jan 24)
- Re: Proposal to anti-phishing Kurt Seifried (Jan 24)
- Re: Proposal to anti-phishing Rogan Dawes (Jan 27)
- Re: Proposal to anti-phishing Moksha Faced (Jan 27)
- Re: Proposal to anti-phishing Jimi Thompson (Jan 23)
- RE: Proposal to anti-phishing Lyal Collins (Jan 24)
- Re: Proposal to anti-phishing Robert Hajime Lanning (Jan 24)
- Re: Proposal to anti-phishing Florian Weimer (Jan 19)
- Re: Proposal to anti-phishing exon (Jan 23)
- Re: Proposal to anti-phishing Rogan Dawes (Jan 23)
- Re: Proposal to anti-phishing Michael Silk (Jan 23)