WebApp Sec mailing list archives
RE: Proposal to anti-phishing
From: "Lyal Collins" <lyal.collins () key2it com au>
Date: Mon, 24 Jan 2005 19:30:21 +1100
-----Original Message----- From: Rogan Dawes [mailto:discard () dawes za net] Sent: Monday, 24 January 2005 7:18 PM To: Lyal Collins Cc: 'Florian Weimer'; 'Rafael San Miguel'; webappsec () securityfocus com; Enrique.Diez () dvc es Subject: Re: Proposal to anti-phishing Lyal Collins wrote:-----Original Message----- From: Rogan Dawes [mailto:discard () dawes za net] Sent: Monday, 17 January 2005 7:14 PM To: Florian Weimer Cc: Rafael San Miguel; webappsec () securityfocus com; Enrique.Diez () dvc es Subject: Re: Proposal to anti-phishing[snip]For an example, I look to the Dell Latitude D600, whichcomes with anintegrated smart card reader. Maybe a good feature addition for the new LCD monitors would be a smart card reader slot, connected via USB. The more people use them, the more ubiquitous they will be, andthe less"setup" will be required by new users/clients.IBM, Compaq and HP have (at least in the past, as well ascurrently) alsooffered similar capability. But these are weak against keyboard sniffer trojans that also enact authenticated transactions on behalf of the attacker. Wedon't have a goodmetric on how to detect 'bad' transacitons in this scenario - all transactions received by the bank are constructed with thesmartcard's keys.This is turning the consumer's PC into the phishing target,not the banksite pre se.Yes, this is obviously the next weak point. Virus writers would tap into the smart card reader and wait for notification that a smart-card has been inserted, or unlocked, before trying to execute a transaction based on the name of the bank issuing the certificate. All I can say here is that users need to be more responsible for the security of their own computers. OR, banks can strike up agreements with AV vendors to make a "managed" AV service available to their customers.
Maybe this will help. I'm not confident it will be good enough for long.
And then there are other issues, like which smartcard + pki+ message formatmust be supported by the PC, OS, and user's software. Anddo all thesefactors interoperate smoothly with all the other software abanking customermay have. Finally, there is the need to re-authenicate ever customerin order to issuea new identifier in the form of the card.So long as the smartcard supports PKCS#11, there should be no problem interacting with it. The PKI software chosen by the bank should be irrelevant, as it still produces certificates in the standard X.509 formats.
The selected CA, cert issuing process, extensions and or cert constrainst fields, CA policy statement and the fields/structure in the messages generally give all the PKCS 11 and X.509 a strong flavour of 'proprietary' implmentations. Worse, many CA approachs will provide an assertion about a person (lyal collins) not theat person's accounts, or conversely, with accounts. In the former case, I have to register my cert with each account I have with each (so the banks can update their account profiles with my cert details) while the latter case means a new cert for each account I have. If this isn't a case of inplementing new 1:1 security relationships just to replaice existing solutions with new technology, without saving costs, I don't know what is.
Message format can be specified by the online application, as it does not have to interact with anyone else, other than that single online application.
This = proprietary solutuion., What about my other financial/bank relationships?
Technically, a good idea. Practically, and commercially,very hard andexpensive to do. Requiring every on-line banking customerto buy a newcomputer in order to use on-line banking is probably worsethan givingcustomers a new computer, something that does happen for high worth individuals in a few rare cases.I'm not suggesting for a second that people will HAVE to buy a new computer. You can buy a smart-card reader for les than USD30. No need for a new computer, if you already have one.
Smartcard readers are like sterilising bullets - the benefit (germ free) is far outweighed by other effects (the bullet kills you).
My point was that IF manufacturers start shipping computers with a smart-card reader already part of the PC, and with drivers already installed as part of the OS installation, then we start approaching the "zero-setup" that was originally posited as the "Holy Grail".
We can but hope - one day, Oh one day Lyal
Current thread:
- RE: Proposal to anti-phishing, (continued)
- RE: Proposal to anti-phishing Lyal Collins (Jan 19)
- Re: Proposal to anti-phishing Rob Skedgell (Jan 19)
- Re: Proposal to anti-phishing Cory Foy (Jan 23)
- Data sanitization approaches in Java Benjamin Livshits (Jan 15)
- Re: Data sanitization approaches in Java Jeff Williams (Jan 16)
- Re: Data sanitization approaches in Java Stephen de Vries (Jan 19)
- Re: Data sanitization approaches in Java Jeff Williams (Jan 16)
- Re: Proposal to anti-phishing Florian Weimer (Jan 16)
- Re: Proposal to anti-phishing Rogan Dawes (Jan 19)
- RE: Proposal to anti-phishing Lyal Collins (Jan 23)
- Re: Proposal to anti-phishing Rogan Dawes (Jan 24)
- RE: Proposal to anti-phishing Lyal Collins (Jan 24)
- Re: Proposal to anti-phishing Rogan Dawes (Jan 24)
- Re: Proposal to anti-phishing Griffiths, Ian (Jan 24)
- RE: Proposal to anti-phishing Lyal Collins (Jan 24)
- RE: Proposal to anti-phishing Lyal Collins (Jan 24)
- RE: Proposal to anti-phishing lists (Jan 24)
- Re: Proposal to anti-phishing Kurt Seifried (Jan 24)
- Re: Proposal to anti-phishing Rogan Dawes (Jan 27)
- Re: Proposal to anti-phishing Rogan Dawes (Jan 19)
- Re: Proposal to anti-phishing Moksha Faced (Jan 27)
- Re: Proposal to anti-phishing Jimi Thompson (Jan 23)
- RE: Proposal to anti-phishing Lyal Collins (Jan 24)