WebApp Sec mailing list archives
Re: Proposal to anti-phishing
From: Rogan Dawes <discard () dawes za net>
Date: Mon, 24 Jan 2005 09:18:14 +0100
Lyal Collins wrote:
-----Original Message-----From: Rogan Dawes [mailto:discard () dawes za net] Sent: Monday, 17 January 2005 7:14 PMTo: Florian WeimerCc: Rafael San Miguel; webappsec () securityfocus com; Enrique.Diez () dvc esSubject: Re: Proposal to anti-phishing[snip]For an example, I look to the Dell Latitude D600, which comes with an integrated smart card reader. Maybe a good feature addition for the new LCD monitors would be a smart card reader slot, connected via USB. The more people use them, the more ubiquitous they will be, and the less "setup" will be required by new users/clients.IBM, Compaq and HP have (at least in the past, as well as currently) also offered similar capability. But these are weak against keyboard sniffer trojans that also enact authenticated transactions on behalf of the attacker. We don't have a good metric on how to detect 'bad' transacitons in this scenario - all transactions received by the bank are constructed with the smartcard's keys. This is turning the consumer's PC into the phishing target, not the bank site pre se.
Yes, this is obviously the next weak point. Virus writers would tap into the smart card reader and wait for notification that a smart-card has been inserted, or unlocked, before trying to execute a transaction based on the name of the bank issuing the certificate.
All I can say here is that users need to be more responsible for the security of their own computers. OR, banks can strike up agreements with AV vendors to make a "managed" AV service available to their customers.
And then there are other issues, like which smartcard + pki + message format must be supported by the PC, OS, and user's software. And do all these factors interoperate smoothly with all the other software a banking customer may have. Finally, there is the need to re-authenicate ever customer in order to issue a new identifier in the form of the card.
So long as the smartcard supports PKCS#11, there should be no problem interacting with it.
The PKI software chosen by the bank should be irrelevant, as it still produces certificates in the standard X.509 formats.
Message format can be specified by the online application, as it does not have to interact with anyone else, other than that single online application.
Technically, a good idea. Practically, and commercially, very hard and expensive to do. Requiring every on-line banking customer to buy a new computer in order to use on-line banking is probably worse than giving customers a new computer, something that does happen for high worth individuals in a few rare cases.
I'm not suggesting for a second that people will HAVE to buy a new computer. You can buy a smart-card reader for les than USD30. No need for a new computer, if you already have one.
My point was that IF manufacturers start shipping computers with a smart-card reader already part of the PC, and with drivers already installed as part of the OS installation, then we start approaching the "zero-setup" that was originally posited as the "Holy Grail".
We cannot just avoid the issue by saying that banks and clients "don't wannna!" go to the trouble of setting up a new device so they can be secure online.I agree First, we need to have both banks and customers say "we want better security, its our problem, not someone elses" We don't buy cars and houses without locks, doors and in some cases, alarms. We buy letter boxes so the mailman doesn't pin our letters to the fence for all to read. We all do these things, and have the minor inconvenience of carrying keys (and possibly losing them) and remembering alrm codes to prevent easy theft and misuse. Why do banks expect consumers to take responsibility for a service the bank is 'selling' which has no locks, doors or alarms, then complain about fraudby and against those same customers?If on-line fraud were harder for criminals, they'd look at some other channel or give up.
From experience, I'd go with the former, rather than the latter option. I'm just concerned about the new channel they will find.
(Better car alarms reduced car-theft, but the hijacking rate increased instead. Personally, I'd rather they just took the car than me with it.)
Lyal
Rogan -- Rogan Dawes *ALL* messages to discard () dawes za net will be dropped, and added to my blacklist. Please respond to "lists AT dawes DOT za DOT net"
Current thread:
- Re: Proposal to anti-phishing, (continued)
- Re: Proposal to anti-phishing Rogan Dawes (Jan 19)
- RE: Proposal to anti-phishing Lyal Collins (Jan 19)
- Re: Proposal to anti-phishing Rob Skedgell (Jan 19)
- Re: Proposal to anti-phishing Cory Foy (Jan 23)
- Data sanitization approaches in Java Benjamin Livshits (Jan 15)
- Re: Data sanitization approaches in Java Jeff Williams (Jan 16)
- Re: Data sanitization approaches in Java Stephen de Vries (Jan 19)
- Re: Data sanitization approaches in Java Jeff Williams (Jan 16)
- Re: Proposal to anti-phishing Florian Weimer (Jan 16)
- Re: Proposal to anti-phishing Rogan Dawes (Jan 19)
- RE: Proposal to anti-phishing Lyal Collins (Jan 23)
- Re: Proposal to anti-phishing Rogan Dawes (Jan 24)
- RE: Proposal to anti-phishing Lyal Collins (Jan 24)
- Re: Proposal to anti-phishing Rogan Dawes (Jan 24)
- Re: Proposal to anti-phishing Griffiths, Ian (Jan 24)
- RE: Proposal to anti-phishing Lyal Collins (Jan 24)
- RE: Proposal to anti-phishing Lyal Collins (Jan 24)
- RE: Proposal to anti-phishing lists (Jan 24)
- Re: Proposal to anti-phishing Kurt Seifried (Jan 24)
- Re: Proposal to anti-phishing Rogan Dawes (Jan 27)
- Re: Proposal to anti-phishing Rogan Dawes (Jan 19)
- Re: Proposal to anti-phishing Moksha Faced (Jan 27)
- Re: Proposal to anti-phishing Jimi Thompson (Jan 23)