lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 10 May 2007 10:25:19 -0700
From: Eli Dart <dart@...net>
To: bugtraq@...urityfocus.com
Subject: Re: Defeating Citibank Virtual Keyboard protection using screenshot
 method

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


[snip]

> That is the point "Int3" was reiterating.  If the problem Citi's OSK is 
> supposed to fix is actually that the bad guys already have, or can more 
> or less easily get, arbitrary code onto the client machine, then 
> changing the way the client user interacts with the machine does not 
> solve the problem -- it simply changes the form of data capture the bad 
> guys' arbitrary code has to perform.

I think it's worth considering credit cards for a minute.

There is credit card fraud.  It costs big financial institutions lots
of money every year.  Those institutions spend lots of money on
preventing credit card fraud.  The cost of fraud and the money spent on
fraud prevention, in sum, approximate a minimum cost for the financial
institutions (at least, that's their goal :)  Yes, more fraud could be
prevented, but at a higher aggregate cost (note that part of the cost
might be lost revenue due to customer flight from onerous anti-fraud
measures).  Financial institutions put a lot of work into finding that
minimum.

There will always be online banking fraud, or at least we will have
online banking fraud until customers' computers, the bank's computers,
and the networks in between can be fully trusted (which is
approximately never unless we change computing and communications
paradigms).  It is my guess that the solutions deployed by the banks
will try to achieve the aggregate minimum cost for online banking fraud
in the same way that they try to achieve aggregate minimum cost for
credit card fraud.

The reason I say this is not to discuss the particular issues with
Citi's OSK.  I say this to point out that the people holding out for a
"perfect" solution that prevents 100% of online banking fraud are being
unrealistic.  If Citi's OSK reduces real-world fraud by a significant
margin, it's a big win for Citi and their customers, even if it has flaws.


		--eli

- --
Eli Dart                                         Office: (510) 486-5629
ESnet Network Engineering Group                  Fax:    (510) 486-6712
Lawrence Berkeley National Laboratory
PGP Key fingerprint = C970 F8D3 CFDD 8FFF 5486 343A 2D31 4478 5F82 B2B3
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (FreeBSD)

iD8DBQFGQ1V/LTFEeF+CsrMRAp9FAKCMDZ4v4B4NntqY8a2f04uHb4MGtQCgiASy
+JIdYo0idRqOo+MKHm3E7tA=
=z6JK
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists