Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
Re: Proposal to anti-phishing
From: Rogan Dawes (discarddawes.za.net)
Date: Mon Jan 24 2005 - 02:18:14 CST
Lyal Collins wrote:
>>From: Rogan Dawes [mailto:discarddawes.za.net]
>>Sent: Monday, 17 January 2005 7:14 PM
>>To: Florian Weimer
>>Cc: Rafael San Miguel; webappsecsecurityfocus.com;
>>Subject: Re: Proposal to anti-phishing
>>For an example, I look to the Dell Latitude D600, which comes with an
>>integrated smart card reader. Maybe a good feature addition
>>for the new
>>LCD monitors would be a smart card reader slot, connected via
>>more people use them, the more ubiquitous they will be, and the less
>>"setup" will be required by new users/clients.
> IBM, Compaq and HP have (at least in the past, as well as currently) also
> offered similar capability.
> But these are weak against keyboard sniffer trojans that also enact
> authenticated transactions on behalf of the attacker. We don't have a good
> metric on how to detect 'bad' transacitons in this scenario - all
> transactions received by the bank are constructed with the smartcard's keys.
> This is turning the consumer's PC into the phishing target, not the bank
> site pre se.
Yes, this is obviously the next weak point. Virus writers would tap into
the smart card reader and wait for notification that a smart-card has
been inserted, or unlocked, before trying to execute a transaction based
on the name of the bank issuing the certificate.
All I can say here is that users need to be more responsible for the
security of their own computers. OR, banks can strike up agreements with
AV vendors to make a "managed" AV service available to their customers.
> And then there are other issues, like which smartcard + pki + message format
> must be supported by the PC, OS, and user's software. And do all these
> factors interoperate smoothly with all the other software a banking customer
> may have.
> Finally, there is the need to re-authenicate ever customer in order to issue
> a new identifier in the form of the card.
So long as the smartcard supports PKCS#11, there should be no problem
interacting with it.
The PKI software chosen by the bank should be irrelevant, as it still
produces certificates in the standard X.509 formats.
Message format can be specified by the online application, as it does
not have to interact with anyone else, other than that single online
> Technically, a good idea. Practically, and commercially, very hard and
> expensive to do. Requiring every on-line banking customer to buy a new
> computer in order to use on-line banking is probably worse than giving
> customers a new computer, something that does happen for high worth
> individuals in a few rare cases.
I'm not suggesting for a second that people will HAVE to buy a new
computer. You can buy a smart-card reader for les than USD30. No need
for a new computer, if you already have one.
My point was that IF manufacturers start shipping computers with a
smart-card reader already part of the PC, and with drivers already
installed as part of the OS installation, then we start approaching the
"zero-setup" that was originally posited as the "Holy Grail".
>>We cannot just avoid the issue by saying that banks and
>>wannna!" go to the trouble of setting up a new device so they can be
> I agree
> First, we need to have both banks and customers say "we want better
> security, its our problem, not someone elses"
> We don't buy cars and houses without locks, doors and in some cases, alarms.
> We buy letter boxes so the mailman doesn't pin our letters to the fence for
> all to read. We all do these things, and have the minor inconvenience of
> carrying keys (and possibly losing them) and remembering alrm codes to
> prevent easy theft and misuse.
> Why do banks expect consumers to take responsibility for a service the bank
> is 'selling' which has no locks, doors or alarms, then complain about fraud
> by and against those same customers?
> If on-line fraud were harder for criminals, they'd look at some other
> channel or give up.
From experience, I'd go with the former, rather than the latter option.
I'm just concerned about the new channel they will find.
(Better car alarms reduced car-theft, but the hijacking rate increased
instead. Personally, I'd rather they just took the car than me with it.)
*ALL* messages to discarddawes.za.net will be dropped, and added
to my blacklist. Please respond to "lists AT dawes DOT za DOT net"