![webappsec logo](/images/webappsec-logo.png)
WebApp Sec mailing list archives
Re: Proposal to anti-phishing
From: Michael Silk <michaelsilk () gmail com>
Date: Wed, 19 Jan 2005 02:18:33 -0800
I think it is a reasonable thing to say to users when the certificate is issued to them: We will NOT EVER ask you for any other authentication information on our web site. This certificate is the only way that you authenticate to us on the Internet. If you ever see our bank web site asking you for your authentication information, please report it immediately to our security department.
But how will it be said? On paper? It will be ignored. Over the phone? Forgotten. In person ? Probably ignored. Nailed to their forehead ? ...
Ah yes, of course. Then we face the problem of users having lots of these little devices ... or losing them, or insecure use (leave in slot), etc ...Well, it is possible for a single token to contain multiple certificates/private keys, so it does not HAVE to lead to proliferation. And of course, a number of banks are issuing smart card based credit cards and debit cards. I wonder how big a leap it would be for the banks to include a private key on the card, too.
But then you are creating more problems for the poor customer who loses his card. Not only does he now have to worry about his credit limit being maxed, but all his savings stolen too...
Then, with a smart card reader, which will become ubiquitous as more and more banks start using this technique, you simply plug in your credit card, and you are authenticated. It should even be possible to enforce good password controls in the smart card, such as limiting the number of retries, enforcing a password length, etc. Password reset could possibly even be handled by the ATM's, if they have access to a PUK. I would like to think that people would not leave their credit cards in the slot when they are finished, as they asociate the credit card with physical security (keep it with me).
And I'd like to think that users would lock their workstations when they wander around the office, or, or, or ... The slots would have to beep very annoyingly to remind the user to take it out (a la ATMs) otherwise they would most definately forget. Even still, how many people would leave their wallets at their desk (I do). What about women (not to get sexist here ...:)) but I don't see them carrying their purse around the office :) -- Michael
Current thread:
- Re: Proposal to anti-phishing, (continued)
- Re: Proposal to anti-phishing Robert Hajime Lanning (Jan 24)
- Re: Proposal to anti-phishing Frank Knobbe (Jan 19)
- Re: Proposal to anti-phishing Florian Weimer (Jan 19)
- RE: Proposal to anti-phishing ACMurray (Jan 15)
- RE: Proposal to anti-phishing Michael Silk (Jan 19)
- Re: Proposal to anti-phishing exon (Jan 23)
- RE: Proposal to anti-phishing Michael Silk (Jan 23)
- Re: Proposal to anti-phishing Rogan Dawes (Jan 23)
- Re: Proposal to anti-phishing Michael Silk (Jan 23)
- Re: Proposal to anti-phishing Rogan Dawes (Jan 23)
- Re: Proposal to anti-phishing Michael Silk (Jan 23)
- Re: Proposal to anti-phishing Rogan Dawes (Jan 23)
- Re: Proposal to anti-phishing Rogan Dawes (Jan 23)