[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <ED4D2B7262D0FF46B802B35FF362FE68014D3A2F@lincoln.fairfax.phra.com>
Date: Fri, 11 May 2007 08:53:09 -0400
From: "James C. Slora Jr." <james.slora@...a.com>
To: <bugtraq@...urityfocus.com>
Subject: RE: Defeating Citibank Virtual Keyboard protection using screenshot method
Florian Weimer wrote Thursday, May 10, 2007 5:46 PM
> What if the measure helps to prevent customer confidence from eroding
any further? I fear you need to do something equally visible against
the very visible threat of fake web pages.
This is the key point of Citi's keyboard - to help end users feel
confident enough to use their card online. The virtual keyboard does
little or nothing to reduce the risk of theft.
There is a certain percentage of the population who will continue to be
gullible enough to fall for phishes, and who will continue to get their
endpoints infected with various malware. This percentage is not highly
variable - it is usually the same people over and over in my experience.
So banks should be able to build the cost of recovering from fraud into
their interest rates and fees.
What is harder to manage is public perception of the risk. Customers
don't care about the average risk. They care about feeling safe in their
own individual transactions, and they want the credit provider to do the
work that secures the transaction.
Fear rides wild cycles, and perception changes constantly. Citi needs
their customers to see that they are "doing something" about the risk.
Otherwise people may reduce their online purchasing or jump to another
credit provider.
So I see the virtual keyboard as a marketing tool more than a security
tool, and as such it has a reasonable chance of success.
Powered by blists - more mailing lists