WebApp Sec mailing list archives
RE: Proposal to anti-phishing
From: "Lyal Collins" <lyal.collins () key2it com au>
Date: Mon, 24 Jan 2005 18:23:26 +1100
USB and indeed all plugin tokens are susceptable to keystroke monitoring IF the device doesn't have a keypad and display on the device. If the password/PIN is ever sniffed, then any malware of the host PC can simulate the human to whom the device is registered, and enact transactions to the benefit of the attacker without the genuine user ever being able to repudiate the false transactions under this security/authentication model (to the bank, device = genuine transaction, period). Putting keypads and displays can makes the the devices more or less customised to the issuing bank. If there is downloadable updates or content of any form, there is the real risk of breaking the device's security model. Certainly, PSCS isn't any good where keypads or displays are used, while STIP may help a bit. Even with displays/keypads on devices, the user still can't be sure that the transaciton their device 'signs' is actually the transaciton they want to do. If you think about it, 'secure devices' only work when they can do the entire transaction, from conneciton to the Bank, selection and input of transaction, and commitment for completion. The devices used today are called PCs and workstations - they just aren't secure. Secure PCs would answer all these problems - but we are never likely to get them Even so, the user education cycle is long (how long did it take for ATMs to be widely accepted?) and there are still no guarantees. In short, so called security devices merely delay the inevitable sophistication of attacks, by a few days in the worst case, weeks or maybe months if we are real lucky. In the meantime, live with risk. Lyal
-----Original Message----- From: Jimi Thompson [mailto:jimi.thompson () gmail com] Sent: Friday, 21 January 2005 5:24 PM To: webappsec () securityfocus com Cc: Florian Weimer; Rafael San Miguel; Enrique.Diez () dvc es Subject: Re: Proposal to anti-phishing <SNIP>Zero-setup online banking will be possible again (with SSLclient certs,hear me beat the drum once more) once enough clients have smart card readers as standard equipment, properly integrated with theoperatingsystem and the browsers. For an example, I look to the Dell Latitude D600, whichcomes with anintegrated smart card reader. Maybe a good feature additionfor the newLCD monitors would be a smart card reader slot, connectedvia USB. Themore people use them, the more ubiquitous they will be, and the less "setup" will be required by new users/clients.</SNIP> Why not use something like the Rainbow Ikey that uses a USB connection which virtually every computer has nowdays? It too is an EPROM with a PKI public/private key pair. That way there's not extra hw to install and you don't have to wait for the item to percolate through the market place. Remember betamax? Consumer are used to carrying around bar code tabs for their shopping/store club/discount/credit cards and such on their key chains, why not that too? The caveat is this - all authentication is based on one of 2 things - something you have (token, thumb print, etc.) or something you know (PIN, password, etc.). The "something you have" can be stolen. Right now, we have people going after the "something you know" by placing devices on ATM machines to record information, identity theft on line, phishing for id10ts, etc. Now instead of realatively non-violent (although highly annoying) crimes like phishing, we'll see an escalation in muggings, purse snatchings, and the general category of beating people up and taking their stuff. As an aside, my big fear with biometrics is that some criminal groups will start cutting off pertinent pieces of people in order to gain access to accounts. Before someone pipes up and says that it'll never happen, I can tell you from personal eye-witness experience that there are more than a few people on this planet who are perfectly willing to cut off another person's hand or fingers to get their rings, watch, bracelet, etc. If they'll do it for some jewelry, which will hock at the pawn shop for about $20, they'll definitely do it get into your checking account. One thing that I've not seen discussed here is non-repudiation. Non-repudiation was a major portion of the last PKI wg. It's very important in dealing with legal and money matters. What do you when my on line identity gets used and I say it wasn't me? Just how good is your system? Will it stop me from buying a Lexus or transferring all my money to the Cayman Islands and saying that I didn't? While I agree with the "zero setup" stuff, it's probably not legal in the USA. We have laws that require you physically show identification and few other things when opening a checking account. There are more laws that require the reporting of large sums of money. This is to prevent the laundering of drug money (for example) as well as other illegal activites. The federal laws are pretty minimal, but some states have stricter laws about this. Any bank that isn't doing something to physically look at ID's is probably in voilation of something. I admit that these aren't well inforced but they should be. 2 cents (as usual) -- Thanks, Jimi
Current thread:
- RE: Proposal to anti-phishing, (continued)
- RE: Proposal to anti-phishing Lyal Collins (Jan 24)
- Re: Proposal to anti-phishing Rogan Dawes (Jan 24)
- Re: Proposal to anti-phishing Griffiths, Ian (Jan 24)
- RE: Proposal to anti-phishing Lyal Collins (Jan 24)
- RE: Proposal to anti-phishing Lyal Collins (Jan 24)
- RE: Proposal to anti-phishing lists (Jan 24)
- Re: Proposal to anti-phishing Kurt Seifried (Jan 24)
- Re: Proposal to anti-phishing Rogan Dawes (Jan 27)
- Re: Proposal to anti-phishing Moksha Faced (Jan 27)
- Re: Proposal to anti-phishing Jimi Thompson (Jan 23)
- RE: Proposal to anti-phishing Lyal Collins (Jan 24)
- Re: Proposal to anti-phishing Robert Hajime Lanning (Jan 24)
- Re: Proposal to anti-phishing Florian Weimer (Jan 19)
- Re: Proposal to anti-phishing exon (Jan 23)
- Re: Proposal to anti-phishing Rogan Dawes (Jan 23)
- Re: Proposal to anti-phishing Michael Silk (Jan 23)
- Re: Proposal to anti-phishing Rogan Dawes (Jan 23)