Penetration Testing mailing list archives
Re: [PEN-TEST] Your opinions ... last request
From: Frank Knobbe <FKnobbe () KNOBBEITS COM>
Date: Wed, 1 Nov 2000 21:59:36 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
-----Original Message----- From: Jim Miller [mailto:MillerJ () FABSSB COM] Sent: Wednesday, November 01, 2000 9:10 AM [...] The client side security is less than adequate, and the bank intends to protect itself using legal stipulations in signed client contracts. But this obvious step will be pointless if the system we deploy to the customer is easily hacked. For the customer, physical security is a recommended control, and necessary to prevent the obvious hack, theft of the hardware. But if the certificate itself is easily removed from the client and can be transported and installed on another PC, the client is even more easily hacked. It would not do the bank any good to deploy the system to any customer if the certificate is readily accessible by any employee with a fair technical knowledge. This begs [the last and final] question: can the certificate be exported to another PC without re-issuance by the bank? Where does the certificate reside on the client? How easily is it hacked, copied, transported, and / or re-installed?
Jim, you might want to check with other banks and see how they are tackling this. I know of a few who actually use tokens (Vasco's tokens being their favorite). With under $50 per token it is affordable. Certificates are just not easy to control. You give the client a certificate, have him install it and sign a legal agreement taking full responsibility. Months later that same client will sell his old computer to a friend, having forgotten the long-time-ago installed certificate. A token is different. A token is physically present, just like an ATM card. The client won't loose it without noticing (even if he does, the token is protected by a PIN), the client won't make inadvertent copies of it (You know, the backup of the public/private certificate keypair on ZIP drive/CD-Rom/Tape that every forgets about), the client won't need to reinstall it when his OS crashes and he has to reinstall, etc. The main advantage is that it is something the client will hold in his hand while logging on to his account. From a psychological point of view, it reminds the client about security. Use the token to have the client authenticate his session, then rely on SSL and secure session cookies for the rest of the session. Oh, and when the client forgets his PIN and/or locks-out the token, your helpdesk can re-enable it remotely (of course after identifying the client in an appropriate manner). Much easier than revoking the certificate and issuing a new one. Let me know if you like more info about the token thing. Seems to work out great for several large banks. Regards, Frank -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.1 Comment: PGP or S/MIME encrypted email preferred. iQA/AwUBOgDmqERKym0LjhFcEQLgrQCg94Du8yakLps9OqHTMchwGpnFFjEAnRu6 BDKubNbWmfA4Cu+MlhO6z3O/ =sF80 -----END PGP SIGNATURE-----
Current thread:
- [PEN-TEST] Your opinions ... last request Jim Miller (Nov 02)
- Re: [PEN-TEST] Your opinions ... last request Deus, Attonbitus (Nov 02)
- Re: [PEN-TEST] Your opinions ... last request Gary Flynn (Nov 02)
- <Possible follow-ups>
- Re: [PEN-TEST] Your opinions ... last request Eric Lauzon (Nov 02)
- Re: [PEN-TEST] Your opinions ... last request Frank Knobbe (Nov 03)
- Re: [PEN-TEST] Your opinions ... last request Deus, Attonbitus (Nov 03)