Re: Proposal to anti-phishing

[Rogan Dawes <discard () dawes za net>]

Florian Weimer wrote:
> * Rafael San Miguel:
>
>
> > The solution is based in a hardware token that is
> > delivered to every customer. This token includes the
> > true certificate that should be presented by the bank
> > when a customer access his/her account, and a program
> > that checks if the certificate presented by the
> > webpage is consistent with the first one. The program
> > is in read-only memory so that it can't be modified by
> > anything external to it.
>
>
> It's acceptable neither to customers nor to banks.  These days,
> zero-setup online banking is an absolute must.

If clients are prepared to accept the consequences of having this 
"zero-setup" online banking, so be it.

Zero-setup online banking will be possible again (with SSL client certs, 
hear me beat the drum once more) once enough clients have smart card 
readers as standard equipment, properly integrated with the operating 
system and the browsers.

For an example, I look to the Dell Latitude D600, which comes with an 
integrated smart card reader. Maybe a good feature addition for the new 
LCD monitors would be a smart card reader slot, connected via USB. The 
more people use them, the more ubiquitous they will be, and the less 
"setup" will be required by new users/clients.

We cannot just avoid the issue by saying that banks and clients "don't 
wannna!" go to the trouble of setting up a new device so they can be 
secure online.

If we all say "I don wanna!", we'll never get there. And that would be a 
shame.

Rogan
--
Rogan Dawes

*ALL* messages to discard () dawes za net will be dropped, and added
to my blacklist. Please respond to "lists AT dawes DOT za DOT net"