lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-id: <4644F034.31763.29B8301B@nick.virus-l.demon.co.uk>
Date: Fri, 11 May 2007 22:37:40 +1200
From: Nick FitzGerald <nick@...us-l.demon.co.uk>
To: bugtraq@...urityfocus.com
Subject: RE: Defeating Citibank Virtual Keyboard protection using screenshot
 method

Rogier Mulhuijzen wrote:

> I'm surprised that banks use such simple things as passwords. Banks here
> in the Netherlands use things like one-time PINs, and challenge/response
> stuff that uses your chipped bank card. Seems a little safer to me.

Banks use such simple things because they are cost effective, or 
rather, the cost of doing anything genuinely more effective is so 
prohibitive that they won't be doing it unless required by legislation 
or until the cost of the fraud due to not doing it significantly 
outweighs the cost of doing it properly (I give them about another
3-5 years on that criterion).

I'm pleased you like your Dutch bank's OTP cards/toggles/etc but are 
they really any better than the worthless CitiBank OSK?

Sure, they're a lot more expensive and a lot more "high-tech" but 
unless they are doing end-to-end client and server authentication and 
strong crypto _AND_ have their own input and output devices that cannot 
be interfaced from the host OS _AND_ are required for verifying 
(virtually) every step of every transaction (in other words -- if you 
have any of the real-world implementations of banking OTP cards used 
anywhere in the world, the answer is "no"), they are effectively no 
better than the Citi OSK's as they are trivially MiTM'ed via on-client 
malware.

Your smug belief in the superior security of your OTP card-based system 
is just as misplaced as that of anyone foolish enough to believe that 
Citi really ratcheted up the bar with its OSK.

Now, imagine you have the choice of being a shareholder in your Dutch 
bank or Citi and on every other measure these banks rate the same -- 
Citi is a better deal as it uses less expensive tech to implement the 
same level of flawed "security" so should produce a better RoI...

Now do you see why banks use such simple things as OSK's and your OTP 
card?


Regards,

Nick FitzGerald

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ