| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 12 Dec 2008 11:12:19 +0100 From: Martin Salfer <mars@...f.de> To: full-disclosure@...ts.grok.org.uk Subject: Re: 21 Million German bank accounts stolen - but accounts are still more secure than many other ones -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Dear vik, Nice to see that people from all over the world read and answer full-disclosure. :-) Yes, you're right. Those trojans that log and intercept data on the fly are really a pain for most online banking customers. Fortunately some banks are already technically prepared to resist those trojans. Some banks already demand a class 3 smart card reader, which means the reader itself must be equipped with a separate display and keyboard. (costing roughly 100 € in total). Such devices look alike the credit card machines at a checkout. The amount of every single transaction must be displayed and acknowledged on the separate card reader, which has its own OS/firmware. This means, any PC trojan would completely fail intercepting, as any alteration would be visible on the display or would invalidate the RSA signature. A successful trojan would need to breach two security zones: the PC OS plus the super hardened card reader OS. The crucial point is to use separate smart card readers that have an own OS/firmware. (not Windows for sure) Fancy card readers, aren't they? ;-) Best regards, Martin Salfer Viktor Larionov wrote: > Dear Martin of good old Germany, > > You are absolutely correct on the poor security and other things...but you > actually should keep in mind, that US internet banking, as far as I am > concerned by the amount and complexity of operations is way behind Germany > and Europe in general. > In example, US residents, correct me if I'm wrong, it's not every bank in US > where you can make a wire transfer, or apply for a mortrage all online. > > That's one side of the coin - another side of it, is banking trojans - as > like Torpig, Apophis - keeping theese trojans techniques in mind, there's > actually no smart card, one-time password, RSA to help you. > > And if you have a list of Deutsche bank clients, modifying Torpig a bit for > Deutsche bank and blasting this thing out to the clients is good start > point - at least from my point of view. > > And I'm not even talking about personal privacy and etc. aspects. > There's surely more than one way to use this data. > > Kindest regards, > vik > from poor young Estonia :) > > P.S. > > By baking trojans, I meant trojans injecting additional payment information > into your bank transfers - e.g. you make 5 payments, but the trojan makes > also the sixth one, still browser with the help of a trojan displays you > only 5 of them. > You press accept - and you'r done. Correct me if I'm wrong, but I somehow > remember that Torpig was one of the bad things doing such tricks - as I > already said, forget about RSA or one-time passwords in theese cases :))) > > Still there are very successfull strategies used by banks to fight this - > mostly based on social analysis of your behavement, but that's another > story. -----BEGIN PGP SIGNATURE----- iD8DBQFJQjkCy4+E3T5McJsRA31AAJ9qb9SxszRcNK1igUP++D9eJub9+wCfR4WS AUgbWdcxZncL+RtEnT3H36Y= =4s/o -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists