funsec mailing list archives
Re: The end of Phishing in sight?
From: Tom Van Vleck <thvv () multicians org>
Date: Tue, 18 Oct 2005 17:39:10 -0400
On Oct 18, 2005, at 5:00 PM, Blanchard_Michael () emc com wrote:
I certainly agree that spyware running on a victim's machine can circumventany protection that is put in place.
The "right way" to do this is with a display and input on the trusted device. Then you can work out a protocol where the token displays the transaction and the user confirms it, and the PC becomes just another part of the untrusted network. This was our conclusion when I worked at CyberCash on the SET protocol some years back.
Perhaps online banks should make it mandatory to run a spyware program and an antivirus program before activating an online banking account? Althoughthis gets very hairy, very quickly. But there are enough free spywarecheckers that are better than non-free versions, and there are a few AV products that are "good enough" for banking and are free. Perhaps online banks should just make a very stern recommendation that users run theseprograms, and make it sound like they are required to use the online bank.....
Free checkers for all operating systems or just One Chosen OS? I can see it now, bank insists that I run a buggy insecure OS in order to run a spyware checker that "fixes" the problems the buggy insecure OS caused in the first place. How bout an online bank that just refuses to work with certain productsand operating systems known to be insecure? ie 90% of the market? Oops.
The Trusted Computing stuff is another approach. Conceal within the user's PC what is basically a second computer, with its own hypervisor and a trustable OS. Then the bank and the TPM can exchange crypto and do stuff. Nice thing about that is that it can be much more powerful than a smartcard. You believe that one? _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- RE: The end of Phishing in sight?, (continued)
- RE: The end of Phishing in sight? Henderson, Dennis K. (Oct 18)
- The end of Phishing in sight? Gary Warner (Oct 18)
- Re: The end of Phishing in sight? Valdis . Kletnieks (Oct 18)
- RE: The end of Phishing in sight? Richard M. Smith (Oct 18)
- Re: The end of Phishing in sight? Blue Boar (Oct 18)
- RE: The end of Phishing in sight? Blanchard_Michael (Oct 18)
- RE: The end of Phishing in sight? Richard M. Smith (Oct 18)
- Re: The end of Phishing in sight? Blue Boar (Oct 18)
- RE: The end of Phishing in sight? Jeff Rosowski (Oct 18)
- RE: The end of Phishing in sight? Richard M. Smith (Oct 18)
- RE: The end of Phishing in sight? Blanchard_Michael (Oct 18)
- Re: The end of Phishing in sight? Tom Van Vleck (Oct 18)
- RE: The end of Phishing in sight? Henderson, Dennis K. (Oct 18)
- Re: The end of Phishing in sight? Fergie (Paul Ferguson) (Oct 18)
- Re: Re[4]: The end of Phishing in sight? Dr. Neal Krawetz (Oct 19)
- Re[6]: The end of Phishing in sight? Pierre Vandevenne (Oct 19)