Re: Proposal to anti-phishing

[Rogan Dawes <discard () dawes za net>]

Lyal Collins wrote:
> > -----Original Message-----
> > From: Rogan Dawes [mailto:discard () dawes za net] 
> > Sent: Monday, 17 January 2005 7:14 PM
> > To: Florian Weimer
> > Cc: Rafael San Miguel; webappsec () securityfocus com; 
> > Enrique.Diez () dvc es
> > Subject: Re: Proposal to anti-phishing
>
>
> [snip]
>
>
> > For an example, I look to the Dell Latitude D600, which comes with an 
> > integrated smart card reader. Maybe a good feature addition 
> > for the new 
> > LCD monitors would be a smart card reader slot, connected via 
> > USB. The 
> > more people use them, the more ubiquitous they will be, and the less 
> > "setup" will be required by new users/clients.
>
>
> IBM, Compaq and HP have (at least in the past, as well as currently) also
> offered similar capability.
> But these are weak against keyboard sniffer trojans that also enact
> authenticated transactions on behalf of the attacker.  We don't have a good
> metric on how to detect 'bad' transacitons in this scenario - all
> transactions received by the bank are constructed with the smartcard's keys.
> This is turning the consumer's PC into the phishing target, not the bank
> site pre se.

Yes, this is obviously the next weak point. Virus writers would tap into 
the smart card reader and wait for notification that a smart-card has 
been inserted, or unlocked, before trying to execute a transaction based 
on the name of the bank issuing the certificate.

All I can say here is that users need to be more responsible for the 
security of their own computers. OR, banks can strike up agreements with 
AV vendors to make a "managed" AV service available to their customers.

> And then there are other issues, like which smartcard + pki + message format
> must be supported by the PC, OS, and user's software.  And do all these
> factors interoperate smoothly with all the other software a banking customer
> may have.
> Finally, there is the need to re-authenicate ever customer in order to issue
> a new identifier in the form of the card.

So long as the smartcard supports PKCS#11, there should be no problem 
interacting with it.

The PKI software chosen by the bank should be irrelevant, as it still 
produces certificates in the standard X.509 formats.

Message format can be specified by the online application, as it does 
not have to interact with anyone else, other than that single online 
application.

> Technically, a good idea.  Practically, and commercially, very hard and
> expensive to do.  Requiring every on-line banking customer to buy a new
> computer in order to use on-line banking is probably worse than giving
> customers a new computer, something that does happen for high worth
> individuals in a few rare cases.

I'm not suggesting for a second that people will HAVE to buy a new 
computer. You can buy a smart-card reader for les than USD30. No need 
for a new computer, if you already have one.

My point was that IF manufacturers start shipping computers with a 
smart-card reader already part of the PC, and with drivers already 
installed as part of the OS installation, then we start approaching the 
"zero-setup" that was originally posited as the "Holy Grail".

> > We cannot just avoid the issue by saying that banks and 
> > clients "don't 
> > wannna!" go to the trouble of setting up a new device so they can be 
> > secure online.
>
> I agree
> First, we need to have both banks and customers say "we want better
> security, its our problem, not someone elses"
>
> We don't buy cars and houses without locks, doors and in some cases, alarms.
> We buy letter boxes so the mailman doesn't pin our letters to the fence for
> all to read. We all do these things, and have the minor inconvenience of
> carrying keys (and possibly losing them) and remembering alrm codes to
> prevent easy theft and misuse.
> Why do banks expect consumers to take responsibility for a service the bank
> is 'selling' which has no locks, doors or alarms, then complain about fraud
> by and against those same customers?  
>
> If on-line fraud were harder for criminals, they'd look at some other
> channel or give up.

From experience, I'd go with the former, rather than the latter option. 
I'm just concerned about the new channel they will find.

(Better car alarms reduced car-theft, but the hijacking rate increased 
instead. Personally, I'd rather they just took the car than me with it.)

> Lyal

Rogan
--
Rogan Dawes

*ALL* messages to discard () dawes za net will be dropped, and added
to my blacklist. Please respond to "lists AT dawes DOT za DOT net"