RE: The end of Phishing in sight?

[Blanchard_Michael () emc com]

 I certainly agree that spyware running on a victim's machine can circumvent
any protection that is put in place.  

  Perhaps online banks should make it mandatory to run a spyware program and
an antivirus program before activating an online banking account?  Although
this gets very hairy, very quickly.  But there are enough free spyware
checkers that are better than non-free versions, and there are a few AV
products that are "good enough" for banking and are free.  Perhaps online
banks should just make a very stern recommendation that users run these
programs, and make it sound like they are required to use the online
bank.....


Michael P. Blanchard 
Antivirus / Security Engineer, CISSP, GCIH, MCSE, MCP+I 
Office of Information Security & Risk Management 
EMC ² Corporation 
4400 Computer Dr. 
Westboro, MA 01580 
email:  Blanchard_Michael () EMC COM 

-----Original Message-----
From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org] On
Behalf Of Richard M. Smith
Sent: Tuesday, October 18, 2005 4:47 PM
To: funsec () linuxbox org
Subject: RE: [funsec] The end of Phishing in sight?

I agree that a USB dongle is probably the best choice for a two-factor
authentication scheme.  However, a USB dongle is still attackable via
spyware.  A spyware program can inject JavaScript code in banking Web pages
to steal money after a victim has logged into their account.  Perhaps IE
needs to turn off DOM access by external programs, BHOs, and toolbars for
https: Web pages.

Does anyone have figures of money losses at online bank accounts broken down
by phishing scams vs. spyware?

Richard 

-----Original Message-----
From: Blanchard_Michael () emc com [mailto:Blanchard_Michael () emc com] 
Sent: Tuesday, October 18, 2005 4:29 PM
To: rms () computerbytesman com; funsec () linuxbox org
Subject: RE: [funsec] The end of Phishing in sight?

 I think the USB dongle/fob would work well.  How many people perform
banking on a machine other than the one at home?  Plug it into your PC at
home and forget about it, they'll never really have to carry it anywhere as
ATM's would still use bank cards.  Make it a bit more secure by adding a
fingerprint scan to ensure that it's actually the user's fob that is being
used.  Encryption within the usb dongle/fob would encrypt the
fingerprint/UN/PW/PIN using a secureID like one time use code and send it
along to the bank.

   This would ensure that it's the actual user's USB device that is
encrypting it and sending the access instructions to the bank's site.  It
would also be easy enough to use that the end user would willing to use it,
as they basically only have to plug the thing in once, and swipe their
finger on it when they want to access their banking account.

Mike B


Michael P. Blanchard
Antivirus / Security Engineer, CISSP, GCIH, MCSE, MCP+I Office of
Information Security & Risk Management EMC ² Corporation 4400 Computer Dr. 
Westboro, MA 01580
email:  Blanchard_Michael () EMC COM 

-----Original Message-----
From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org] On
Behalf Of Richard M. Smith
Sent: Tuesday, October 18, 2005 4:10 PM
To: funsec () linuxbox org
Subject: RE: [funsec] The end of Phishing in sight?

People seem to accept using tokens at ATM's just fine to get to their money.
Why not for their online bank accounts?  (A better form factor might be a
thick credit card, rather than a key fob.)  The bigger problem is that these
fobs only marginly increase security over PINs and passwords.

Richard 

-----Original Message-----
From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org] On
Behalf Of Gary Warner
Sent: Tuesday, October 18, 2005 3:12 PM
To: funsec () linuxbox org
Subject: [funsec] The end of Phishing in sight?

This whole thread rather loses the point that carrying an RSA token for
banking purposes is going to be a HUGE burden on the end-users, that they
will probably not go along with.  At my employer, we grant "email only"
access on a password, and "full network" access (really only those portions
published in their Citrix neighborhood) to people who use the RSA token.  We
have 1300 users, and have given out less than 100 tokens.  Most of them we
have given out are either not used, or actually RETURNED.  Of the few that
use them, a goodly number have had to get replacements, as they lose the
token.  Or they call on the weekend because they want something on the
network but their token is at work, and what should they do?

The whole thing rather surprised me, as in other industries where I have
worked you had to have your token with you to log in to your own PC even at
work!  I guess its a "corporate culture".  The problem is "what is the
corporate culture of a home banking customer"?

My guess is banks that force the issue will see a great customer migration.
Certain security-minded customers flocking to them, and probably 3x as many
convenience-minded customers fleeing them.

_-_
gar  (who admittedly hasn't read the whole thread yet, and may be repeating
something someone else said.)
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.