Re: The end of Phishing in sight?

[Blue Boar <BlueBoar () thievco com>]

Richard M. Smith wrote:
> People seem to accept using tokens at ATM's just fine to get to their money.
> Why not for their online bank accounts?  (A better form factor might be a
> thick credit card, rather than a key fob.)  The bigger problem is that these
> fobs only marginly increase security over PINs and passwords.

Depends on what the fob does.  I propose that an ideal fob does internal 
processing that is required for the transaction.  This takes some of the 
decision process out of the users hands, and they are missing the key 
bit of knowledged themselves (say, an embedded private key) so they 
cannot give away a copy.  They can lose the entire fob, but they 
generally instinctively understand the consequences of that.

I used to admit a medium size VPN infrastructure with a couple of 
thousand users, all levels of technical expertise, or lack of.  I issued 
hardware toeksn that took a pin to activate, and which generated a 
one-time number in response.  If a user gave away or lost the token, 
they deny themself use of the system.  That was an important piece of 
the strategy.  It was possible with this particular system for a clever 
user to intentionally coordinate sharing their access with another 
person without losing access.  They had to be pretty deliberate about it 
though, and it required a fair bit of collusion.  That attack would have 
increased their chances of detection, too.  And that particular attack 
was fixable at a technical level, with a slightly better design.

Point being that people freak out when they lose their ATM cards, and 
that's an intentional feature.

                                        BB
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.