| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 11 May 2007 08:53:09 -0400 From: "James C. Slora Jr." <james.slora@...a.com> To: <bugtraq@...urityfocus.com> Subject: RE: Defeating Citibank Virtual Keyboard protection using screenshot method Florian Weimer wrote Thursday, May 10, 2007 5:46 PM > What if the measure helps to prevent customer confidence from eroding any further? I fear you need to do something equally visible against the very visible threat of fake web pages. This is the key point of Citi's keyboard - to help end users feel confident enough to use their card online. The virtual keyboard does little or nothing to reduce the risk of theft. There is a certain percentage of the population who will continue to be gullible enough to fall for phishes, and who will continue to get their endpoints infected with various malware. This percentage is not highly variable - it is usually the same people over and over in my experience. So banks should be able to build the cost of recovering from fraud into their interest rates and fees. What is harder to manage is public perception of the risk. Customers don't care about the average risk. They care about feeling safe in their own individual transactions, and they want the credit provider to do the work that secures the transaction. Fear rides wild cycles, and perception changes constantly. Citi needs their customers to see that they are "doing something" about the risk. Otherwise people may reduce their online purchasing or jump to another credit provider. So I see the virtual keyboard as a marketing tool more than a security tool, and as such it has a reasonable chance of success.
Powered by blists - more mailing lists