WebApp Sec mailing list archives
Re: limits of end-user "testing"
From: byte_jump <bytejump () gmail com>
Date: Thu, 17 Nov 2005 14:33:30 -0700
On 11/17/05, Luke Fraser <LFraser () soltrus com> wrote:
This makes sense to me, but can anyone confirm that banks fraud detection systems are this good?
Yes, they are that good and they look for anomalies, odd behavior, transfers to odd accounts, etc. As for two-factor authentication being subject to MITM attacks - it is, but that vulnerability is reduced if two-factor is implemented correctly and rechallenges users when they try to tranfer money, etc. Sure, it can still be defeated under certain circumstances, but we need to be realistic. Banks aren't going to issue smart cards and readers to their customers any time soon - customers wouldn't stand for it - so digitally signing transactions is a pipe dream at this point.
Current thread:
- limits of end-user "testing" Jeff Robertson (Nov 17)
- Re: limits of end-user "testing" Andrew van der Stock (Nov 17)
- Re: limits of end-user "testing" Kurt Seifried (Nov 17)
- Re: limits of end-user "testing" Andrew van der Stock (Nov 17)
- Re: limits of end-user "testing" Javier Fernandez-Sanguino (Nov 22)
- Re: limits of end-user "testing" Daniel (Nov 27)
- Re: limits of end-user "testing" Kurt Seifried (Nov 17)
- Re: limits of end-user "testing" Javier Fernandez-Sanguino (Nov 22)
- Re: limits of end-user "testing" Andrew van der Stock (Nov 17)
- <Possible follow-ups>
- RE: limits of end-user "testing" Luke Fraser (Nov 17)
- Re: limits of end-user "testing" byte_jump (Nov 17)