funsec mailing list archives
Re: New security measures at the Cambridge Savings Bank
From: Valdis.Kletnieks () vt edu
Date: Tue, 31 Oct 2006 16:58:09 -0500
On Tue, 31 Oct 2006 15:04:33 EST, "Richard M. Smith" said:
To log onto a bank account, one still uses a username and password. However, the computer must also have a special "security" cookie set on the computer. This cookie gets generated by the bank's Web site after someone answers a number of "secret" questions about their account. An account can also be locked down to only work on one particular computer. I'm not sure what happens if someone clears out their browser cookies.
Oh dear, another security scheme that provides zero additional benefit if the PC in question has been pwned by any sort of keystroke logger or similar spyware - at that point snarfing up all the cookies in addition to user/pass is trivial. Of course, to be fair, it's *really* hard to do something in a secure manner when there's a very real non-zero chance that you're doing the computing on a platform that's controlled by the adversary. Anybody got good recent numbers on what % of PC's are essentially pwned by spyware/adware/etc (include *any* software that's able to "phone home" to update itself, as it means that added snoopware can be downloaded at any arbitrary time)?
Attachment:
_bin
Description:
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- New security measures at the Cambridge Savings Bank Richard M. Smith (Oct 31)
- Re: New security measures at the Cambridge Savings Bank John LaCour (Oct 31)
- Re: New security measures at the Cambridge Savings Bank Nick FitzGerald (Oct 31)
- Re: New security measures at the Cambridge Savings Bank Valdis . Kletnieks (Oct 31)
- Re: New security measures at the Cambridge Savings Bank Nick FitzGerald (Oct 31)