WebApp Sec mailing list archives
Re: limits of end-user "testing"
From: "Kurt Seifried" <bt () seifried org>
Date: Thu, 17 Nov 2005 05:35:34 -0700
People occasionally ask me if I can help them figure out if the onlinebanking site they use is secure. I tell them not unless the bank hires me todo so.
Agreed.
Is there *anything* that an end user can do in the way of checking for the Top 10 type of problems, that would be considered "fair use" (I know.. copyright law term, not really applicable here) or "self-defense" rather than malicious?
That depends on what the Judge/Jury says. I wouldn't chance it. The good news is that banks want online transactions to take off so they'll continue to eat the losses for a while (until it becomes a bigger problem or they figure out a way to shift the cost to customers without causing to much bad publicity).
This isn't really self-defense either since the bank's servers have not attacked you. This is more along the lines of due diligence, i.e. I'm entrusting you with X, I want to make sure you are actually capable of handling X properly and safely. The one method that comes to mind is legal, for example http://www.computerworld.com/printthis/2005/0,4814,105638,00.html
This is a fundementally economic problem, banks could design systems and processes that would result in the customer having a near 100% secure experience with online banking, but it would be very very costly. Like Schneier says, shift the cost of phishing to financial institutions and they'll find a way to address it pretty quickly, leave the cost with consumers and.. well.. we'll have the situation we're currently in.
For purposes of simplicity and relevance to my current location, lets assume that both the user, the website, and the company that owns the site are allin the U.S.
I would especially not even think about it in that case. -Kurt
Current thread:
- limits of end-user "testing" Jeff Robertson (Nov 17)
- Re: limits of end-user "testing" Andrew van der Stock (Nov 17)
- Re: limits of end-user "testing" Kurt Seifried (Nov 17)
- Re: limits of end-user "testing" Andrew van der Stock (Nov 17)
- Re: limits of end-user "testing" Javier Fernandez-Sanguino (Nov 22)
- Re: limits of end-user "testing" Daniel (Nov 27)
- Re: limits of end-user "testing" Kurt Seifried (Nov 17)
- Re: limits of end-user "testing" Javier Fernandez-Sanguino (Nov 22)
- Re: limits of end-user "testing" Andrew van der Stock (Nov 17)
- <Possible follow-ups>
- RE: limits of end-user "testing" Luke Fraser (Nov 17)
- Re: limits of end-user "testing" byte_jump (Nov 17)