[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-id: <4644F034.31763.29B8301B@nick.virus-l.demon.co.uk>
Date: Fri, 11 May 2007 22:37:40 +1200
From: Nick FitzGerald <nick@...us-l.demon.co.uk>
To: bugtraq@...urityfocus.com
Subject: RE: Defeating Citibank Virtual Keyboard protection using screenshot
method
Rogier Mulhuijzen wrote:
> I'm surprised that banks use such simple things as passwords. Banks here
> in the Netherlands use things like one-time PINs, and challenge/response
> stuff that uses your chipped bank card. Seems a little safer to me.
Banks use such simple things because they are cost effective, or
rather, the cost of doing anything genuinely more effective is so
prohibitive that they won't be doing it unless required by legislation
or until the cost of the fraud due to not doing it significantly
outweighs the cost of doing it properly (I give them about another
3-5 years on that criterion).
I'm pleased you like your Dutch bank's OTP cards/toggles/etc but are
they really any better than the worthless CitiBank OSK?
Sure, they're a lot more expensive and a lot more "high-tech" but
unless they are doing end-to-end client and server authentication and
strong crypto _AND_ have their own input and output devices that cannot
be interfaced from the host OS _AND_ are required for verifying
(virtually) every step of every transaction (in other words -- if you
have any of the real-world implementations of banking OTP cards used
anywhere in the world, the answer is "no"), they are effectively no
better than the Citi OSK's as they are trivially MiTM'ed via on-client
malware.
Your smug belief in the superior security of your OTP card-based system
is just as misplaced as that of anyone foolish enough to believe that
Citi really ratcheted up the bar with its OSK.
Now, imagine you have the choice of being a shareholder in your Dutch
bank or Citi and on every other measure these banks rate the same --
Citi is a better deal as it uses less expensive tech to implement the
same level of flawed "security" so should produce a better RoI...
Now do you see why banks use such simple things as OSK's and your OTP
card?
Regards,
Nick FitzGerald
Powered by blists - more mailing lists