funsec mailing list archives
RE: The end of Phishing in sight?
From: Blanchard_Michael () emc com
Date: Tue, 18 Oct 2005 17:00:54 -0400
I certainly agree that spyware running on a victim's machine can circumvent any protection that is put in place. Perhaps online banks should make it mandatory to run a spyware program and an antivirus program before activating an online banking account? Although this gets very hairy, very quickly. But there are enough free spyware checkers that are better than non-free versions, and there are a few AV products that are "good enough" for banking and are free. Perhaps online banks should just make a very stern recommendation that users run these programs, and make it sound like they are required to use the online bank..... Michael P. Blanchard Antivirus / Security Engineer, CISSP, GCIH, MCSE, MCP+I Office of Information Security & Risk Management EMC ² Corporation 4400 Computer Dr. Westboro, MA 01580 email: Blanchard_Michael () EMC COM -----Original Message----- From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org] On Behalf Of Richard M. Smith Sent: Tuesday, October 18, 2005 4:47 PM To: funsec () linuxbox org Subject: RE: [funsec] The end of Phishing in sight? I agree that a USB dongle is probably the best choice for a two-factor authentication scheme. However, a USB dongle is still attackable via spyware. A spyware program can inject JavaScript code in banking Web pages to steal money after a victim has logged into their account. Perhaps IE needs to turn off DOM access by external programs, BHOs, and toolbars for https: Web pages. Does anyone have figures of money losses at online bank accounts broken down by phishing scams vs. spyware? Richard -----Original Message----- From: Blanchard_Michael () emc com [mailto:Blanchard_Michael () emc com] Sent: Tuesday, October 18, 2005 4:29 PM To: rms () computerbytesman com; funsec () linuxbox org Subject: RE: [funsec] The end of Phishing in sight? I think the USB dongle/fob would work well. How many people perform banking on a machine other than the one at home? Plug it into your PC at home and forget about it, they'll never really have to carry it anywhere as ATM's would still use bank cards. Make it a bit more secure by adding a fingerprint scan to ensure that it's actually the user's fob that is being used. Encryption within the usb dongle/fob would encrypt the fingerprint/UN/PW/PIN using a secureID like one time use code and send it along to the bank. This would ensure that it's the actual user's USB device that is encrypting it and sending the access instructions to the bank's site. It would also be easy enough to use that the end user would willing to use it, as they basically only have to plug the thing in once, and swipe their finger on it when they want to access their banking account. Mike B Michael P. Blanchard Antivirus / Security Engineer, CISSP, GCIH, MCSE, MCP+I Office of Information Security & Risk Management EMC ² Corporation 4400 Computer Dr. Westboro, MA 01580 email: Blanchard_Michael () EMC COM -----Original Message----- From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org] On Behalf Of Richard M. Smith Sent: Tuesday, October 18, 2005 4:10 PM To: funsec () linuxbox org Subject: RE: [funsec] The end of Phishing in sight? People seem to accept using tokens at ATM's just fine to get to their money. Why not for their online bank accounts? (A better form factor might be a thick credit card, rather than a key fob.) The bigger problem is that these fobs only marginly increase security over PINs and passwords. Richard -----Original Message----- From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org] On Behalf Of Gary Warner Sent: Tuesday, October 18, 2005 3:12 PM To: funsec () linuxbox org Subject: [funsec] The end of Phishing in sight? This whole thread rather loses the point that carrying an RSA token for banking purposes is going to be a HUGE burden on the end-users, that they will probably not go along with. At my employer, we grant "email only" access on a password, and "full network" access (really only those portions published in their Citrix neighborhood) to people who use the RSA token. We have 1300 users, and have given out less than 100 tokens. Most of them we have given out are either not used, or actually RETURNED. Of the few that use them, a goodly number have had to get replacements, as they lose the token. Or they call on the weekend because they want something on the network but their token is at work, and what should they do? The whole thing rather surprised me, as in other industries where I have worked you had to have your token with you to log in to your own PC even at work! I guess its a "corporate culture". The problem is "what is the corporate culture of a home banking customer"? My guess is banks that force the issue will see a great customer migration. Certain security-minded customers flocking to them, and probably 3x as many convenience-minded customers fleeing them. _-_ gar (who admittedly hasn't read the whole thread yet, and may be repeating something someone else said.) _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- RE: The end of Phishing in sight?, (continued)
- RE: The end of Phishing in sight? Richard M. Smith (Oct 18)
- RE: The end of Phishing in sight? Henderson, Dennis K. (Oct 18)
- The end of Phishing in sight? Gary Warner (Oct 18)
- Re: The end of Phishing in sight? Valdis . Kletnieks (Oct 18)
- RE: The end of Phishing in sight? Richard M. Smith (Oct 18)
- Re: The end of Phishing in sight? Blue Boar (Oct 18)
- RE: The end of Phishing in sight? Blanchard_Michael (Oct 18)
- RE: The end of Phishing in sight? Richard M. Smith (Oct 18)
- Re: The end of Phishing in sight? Blue Boar (Oct 18)
- RE: The end of Phishing in sight? Jeff Rosowski (Oct 18)
- RE: The end of Phishing in sight? Richard M. Smith (Oct 18)
- RE: The end of Phishing in sight? Blanchard_Michael (Oct 18)
- Re: The end of Phishing in sight? Tom Van Vleck (Oct 18)
- RE: The end of Phishing in sight? Henderson, Dennis K. (Oct 18)
- Re: The end of Phishing in sight? Fergie (Paul Ferguson) (Oct 18)
- Re: Re[4]: The end of Phishing in sight? Dr. Neal Krawetz (Oct 19)
- Re[6]: The end of Phishing in sight? Pierre Vandevenne (Oct 19)