Re: Proposal to anti-phishing

[Cory Foy <Cory.Foy () mobilehwy com>]

Rob Skedgell wrote:
> - a higher level, additionally requiring both a client-side certificate 
> *and* a valid IP address range from the customer's nominated ISP which 
> would allow new payment instructions to be created and other details 
> viewed/amended.
>
> These would of course only raise the bar, and UK banks appear to favour 
> increasing *their* security, not the customer's. The current debate on 
> chip-and-PIN in the UK and the handling of phantom ATM transactions 
> (see http://www.cl.cam.ac.uk/~mkb23/phantom/ ) should give a flavour.
>
> Of course, if banks digitally signed their legitimate emails and had 
> done so from the start...

A couple of things here. Obviously any IP address can be spoofed, but I 
think more of an issue is that in bigger cities the customers IP address 
would be coming from a pool of many, many customers. In addition, I know 
that I've travelled before and needed to perform transactions while 
halfway around the world.

In regards to the digital signing of emails - I've found that *my* 
signed emails have a difficult time reaching the people I email. 
Something on their end modifies the email, and Outlook (which is usually 
the issue) says that the email has an invalid signature.

All of this goes to what a previous poster wrote that the banks number 
one focus is a seemless experience for the customers. For example, I did 
a project at a large financial institution dealing with highly secured 
information that bank employees would be accessing in other countries. 
For all the encrytpion they wanted, they didn't bother with securing 
down the routers getting the information to the end employees, nor did 
they want to implement it over SSL. They didn't want to do anything that 
would make the user experience "difficult" - even for their own employees.

Cory