funsec mailing list archives
Re: The end of Phishing in sight?
From: Blue Boar <BlueBoar () thievco com>
Date: Tue, 18 Oct 2005 13:31:27 -0700
Richard M. Smith wrote:
People seem to accept using tokens at ATM's just fine to get to their money. Why not for their online bank accounts? (A better form factor might be a thick credit card, rather than a key fob.) The bigger problem is that these fobs only marginly increase security over PINs and passwords.
Depends on what the fob does. I propose that an ideal fob does internal processing that is required for the transaction. This takes some of the decision process out of the users hands, and they are missing the key bit of knowledged themselves (say, an embedded private key) so they cannot give away a copy. They can lose the entire fob, but they generally instinctively understand the consequences of that.
I used to admit a medium size VPN infrastructure with a couple of thousand users, all levels of technical expertise, or lack of. I issued hardware toeksn that took a pin to activate, and which generated a one-time number in response. If a user gave away or lost the token, they deny themself use of the system. That was an important piece of the strategy. It was possible with this particular system for a clever user to intentionally coordinate sharing their access with another person without losing access. They had to be pretty deliberate about it though, and it required a fair bit of collusion. That attack would have increased their chances of detection, too. And that particular attack was fixable at a technical level, with a slightly better design.
Point being that people freak out when they lose their ATM cards, and that's an intentional feature.
BB _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Re: Re[4]: The end of Phishing in sight?, (continued)
- Re: Re[4]: The end of Phishing in sight? Douglas F. Calvert (Oct 17)
- RE: The end of Phishing in sight? Blanchard_Michael (Oct 18)
- RE: The end of Phishing in sight? Henderson, Dennis K. (Oct 18)
- Re: The end of Phishing in sight? Security Lists (Oct 18)
- RE: The end of Phishing in sight? Henderson, Dennis K. (Oct 18)
- RE: The end of Phishing in sight? Richard M. Smith (Oct 18)
- RE: The end of Phishing in sight? Henderson, Dennis K. (Oct 18)
- The end of Phishing in sight? Gary Warner (Oct 18)
- Re: The end of Phishing in sight? Valdis . Kletnieks (Oct 18)
- RE: The end of Phishing in sight? Richard M. Smith (Oct 18)
- Re: The end of Phishing in sight? Blue Boar (Oct 18)
- RE: The end of Phishing in sight? Blanchard_Michael (Oct 18)
- RE: The end of Phishing in sight? Richard M. Smith (Oct 18)
- Re: The end of Phishing in sight? Blue Boar (Oct 18)
- RE: The end of Phishing in sight? Jeff Rosowski (Oct 18)
- RE: The end of Phishing in sight? Richard M. Smith (Oct 18)
- RE: The end of Phishing in sight? Blanchard_Michael (Oct 18)
- Re: The end of Phishing in sight? Tom Van Vleck (Oct 18)
- RE: The end of Phishing in sight? Henderson, Dennis K. (Oct 18)
- Re: The end of Phishing in sight? Fergie (Paul Ferguson) (Oct 18)
- Re: Re[4]: The end of Phishing in sight? Dr. Neal Krawetz (Oct 19)
- Re[6]: The end of Phishing in sight? Pierre Vandevenne (Oct 19)