RE: Proposal to anti-phishing

["Lyal Collins" <lyal.collins () key2it com au>]

> -----Original Message-----
> From: Rogan Dawes [mailto:discard () dawes za net] 
> Sent: Monday, 24 January 2005 7:18 PM
> To: Lyal Collins
> Cc: 'Florian Weimer'; 'Rafael San Miguel'; 
> webappsec () securityfocus com; Enrique.Diez () dvc es
> Subject: Re: Proposal to anti-phishing
>
>
> Lyal Collins wrote:
> > > -----Original Message-----
> > > From: Rogan Dawes [mailto:discard () dawes za net] 
> > > Sent: Monday, 17 January 2005 7:14 PM
> > > To: Florian Weimer
> > > Cc: Rafael San Miguel; webappsec () securityfocus com; 
> > > Enrique.Diez () dvc es
> > > Subject: Re: Proposal to anti-phishing
> >
> >
> > [snip]
> >
> >
> > > For an example, I look to the Dell Latitude D600, which 
> comes with an 
> > > integrated smart card reader. Maybe a good feature addition 
> > > for the new 
> > > LCD monitors would be a smart card reader slot, connected via 
> > > USB. The 
> > > more people use them, the more ubiquitous they will be, and 
> the less 
> > > "setup" will be required by new users/clients.
> >
> >
> > IBM, Compaq and HP have (at least in the past, as well as 
> currently) also
> > offered similar capability.
> > But these are weak against keyboard sniffer trojans that also enact
> > authenticated transactions on behalf of the attacker.  We 
> don't have a good
> > metric on how to detect 'bad' transacitons in this scenario - all
> > transactions received by the bank are constructed with the 
> smartcard's keys.
> > This is turning the consumer's PC into the phishing target, 
> not the bank
> > site pre se.
>
> Yes, this is obviously the next weak point. Virus writers 
> would tap into 
> the smart card reader and wait for notification that a smart-card has 
> been inserted, or unlocked, before trying to execute a 
> transaction based 
> on the name of the bank issuing the certificate.
>
> All I can say here is that users need to be more responsible for the 
> security of their own computers. OR, banks can strike up 
> agreements with 
> AV vendors to make a "managed" AV service available to their 
> customers.

Maybe this will help. I'm not confident it will be good enough for long.


> > And then there are other issues, like which smartcard + pki 
> + message format
> > must be supported by the PC, OS, and user's software.  And 
> do all these
> > factors interoperate smoothly with all the other software a 
> banking customer
> > may have.
> > Finally, there is the need to re-authenicate ever customer 
> in order to issue
> > a new identifier in the form of the card.
>
> So long as the smartcard supports PKCS#11, there should be no problem 
> interacting with it.
>
> The PKI software chosen by the bank should be irrelevant, as it still 
> produces certificates in the standard X.509 formats.

The selected CA, cert issuing process, extensions and or cert constrainst
fields, CA policy statement and the fields/structure in the messages
generally give all the PKCS 11 and X.509 a strong flavour of 'proprietary'
implmentations.
Worse, many CA approachs will provide an assertion about a person (lyal
collins) not theat person's accounts, or conversely, with accounts.  In the
former case, I have to register my cert with each account I have with each
(so the banks can update their account profiles with my cert details) while
the latter case means a new cert for each account I have.  

If this isn't a case of inplementing new 1:1 security relationships just to
replaice existing solutions with new technology, without saving costs, I
don't know what is.

> Message format can be specified by the online application, as it does 
> not have to interact with anyone else, other than that single online 
> application.
This = proprietary solutuion., What about my other financial/bank
relationships?

> > Technically, a good idea.  Practically, and commercially, 
> very hard and
> > expensive to do.  Requiring every on-line banking customer 
> to buy a new
> > computer in order to use on-line banking is probably worse 
> than giving
> > customers a new computer, something that does happen for high worth
> > individuals in a few rare cases.
>
> I'm not suggesting for a second that people will HAVE to buy a new 
> computer. You can buy a smart-card reader for les than USD30. No need 
> for a new computer, if you already have one.

Smartcard readers are like sterilising bullets - the benefit (germ free) is
far outweighed by other effects (the bullet kills you).


> My point was that IF manufacturers start shipping computers with a 
> smart-card reader already part of the PC, and with drivers already 
> installed as part of the OS installation, then we start 
> approaching the 
> "zero-setup" that was originally posited as the "Holy Grail".

We can but hope - one day, Oh one day

Lyal