lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <ED4D2B7262D0FF46B802B35FF362FE68014D3A2F@lincoln.fairfax.phra.com>
Date: Fri, 11 May 2007 08:53:09 -0400
From: "James C. Slora Jr." <james.slora@...a.com>
To: <bugtraq@...urityfocus.com>
Subject: RE: Defeating Citibank Virtual Keyboard protection using screenshot method

Florian Weimer wrote Thursday, May 10, 2007 5:46 PM

>  What if the measure helps to prevent customer confidence from eroding
any further?  I fear you need to do something equally visible against
the very visible threat of fake web pages.

This is the key point of Citi's keyboard - to help end users feel
confident enough to use their card online. The virtual keyboard does
little or nothing to reduce the risk of theft.

There is a certain percentage of the population who will continue to be
gullible enough to fall for phishes, and who will continue to get their
endpoints infected with various malware. This percentage is not highly
variable - it is usually the same people over and over in my experience.
So banks should be able to build the cost of recovering from fraud into
their interest rates and fees.

What is harder to manage is public perception of the risk. Customers
don't care about the average risk. They care about feeling safe in their
own individual transactions, and they want the credit provider to do the
work that secures the transaction.

Fear rides wild cycles, and perception changes constantly. Citi needs
their customers to see that they are "doing something" about the risk.
Otherwise people may reduce their online purchasing or jump to another
credit provider.

So I see the virtual keyboard as a marketing tool more than a security
tool, and as such it has a reasonable chance of success.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ