WebApp Sec mailing list archives
Re: Proposal to anti-phishing
From: Cory Foy <Cory.Foy () mobilehwy com>
Date: Wed, 19 Jan 2005 07:47:07 -0500
Rob Skedgell wrote:
- a higher level, additionally requiring both a client-side certificate *and* a valid IP address range from the customer's nominated ISP which would allow new payment instructions to be created and other details viewed/amended.These would of course only raise the bar, and UK banks appear to favour increasing *their* security, not the customer's. The current debate on chip-and-PIN in the UK and the handling of phantom ATM transactions (see http://www.cl.cam.ac.uk/~mkb23/phantom/ ) should give a flavour.Of course, if banks digitally signed their legitimate emails and had done so from the start...
A couple of things here. Obviously any IP address can be spoofed, but I think more of an issue is that in bigger cities the customers IP address would be coming from a pool of many, many customers. In addition, I know that I've travelled before and needed to perform transactions while halfway around the world.
In regards to the digital signing of emails - I've found that *my* signed emails have a difficult time reaching the people I email. Something on their end modifies the email, and Outlook (which is usually the issue) says that the email has an invalid signature.
All of this goes to what a previous poster wrote that the banks number one focus is a seemless experience for the customers. For example, I did a project at a large financial institution dealing with highly secured information that bank employees would be accessing in other countries. For all the encrytpion they wanted, they didn't bother with securing down the routers getting the information to the end employees, nor did they want to implement it over SSL. They didn't want to do anything that would make the user experience "difficult" - even for their own employees.
Cory
Current thread:
- Re: Proposal to anti-phishing, (continued)
- Re: Proposal to anti-phishing Rogan Dawes (Jan 19)
- RE: Proposal to anti-phishing WebAppSecurity [Technicalinfo.net] (Jan 15)
- Re: Proposal to anti-phishing Rogan Dawes (Jan 15)
- Re: Proposal to anti-phishing Rogan Dawes (Jan 15)
- RE: Proposal to anti-phishing Lyal Collins (Jan 16)
- Re: Proposal to anti-phishing Moksha Faced (Jan 19)
- RE: Proposal to anti-phishing Lyal Collins (Jan 19)
- Re: Proposal to anti-phishing Rogan Dawes (Jan 19)
- RE: Proposal to anti-phishing Lyal Collins (Jan 19)
- RE: Proposal to anti-phishing Lyal Collins (Jan 16)
- Re: Proposal to anti-phishing Rob Skedgell (Jan 19)
- Re: Proposal to anti-phishing Cory Foy (Jan 23)
- Re: Data sanitization approaches in Java Jeff Williams (Jan 16)
- Re: Data sanitization approaches in Java Stephen de Vries (Jan 19)
- Re: Proposal to anti-phishing Rogan Dawes (Jan 19)
- RE: Proposal to anti-phishing Lyal Collins (Jan 23)
- Re: Proposal to anti-phishing Rogan Dawes (Jan 24)
- RE: Proposal to anti-phishing Lyal Collins (Jan 24)
- Re: Proposal to anti-phishing Rogan Dawes (Jan 24)
- Re: Proposal to anti-phishing Griffiths, Ian (Jan 24)