Bank security

Discussion in 'NZ Computing' started by Lawrence D¹Oliveiro, Mar 13, 2005.

  1. Caught a bit of the item on TV1 this morning where this computer
    consultant showed this gadget called the "I-Key", I think it was. This
    is a little USB dongle that plugs into your PC and plays an integral
    part in the authentication handshake with the bank before you can do
    your on-line banking. Without the key, no-one can get into your accounts.

    Trouble is, if the PC has been subverted by spyware, then the
    controllers of that spyware can still observe everything you do, and an
    even more malicious trojan could take over your machine after you've
    logged on and transfer your money to another account, that kind of thing.

    In other words, a secure gadget that depends on an insecure PC to
    operate is still insecure.

    I gather some NZ banks operate a two-factor system, where after logging
    on with your PC, you get an SMS message on your cell phone with an
    additional code that you need to enter before the logon can proceed.

    Actually this is still susceptible to the spyware problem. The only way
    to get around this problem is to take Windows PCs completely out of the
    loop.
    Lawrence D¹Oliveiro, Mar 13, 2005
    #1
    1. Advertising

  2. Lawrence D¹Oliveiro

    Axle Guest

    Lawrence D¹Oliveiro wrote:
    > Caught a bit of the item on TV1 this morning where this computer
    > consultant showed this gadget called the "I-Key", I think it was. This
    > is a little USB dongle that plugs into your PC and plays an integral
    > part in the authentication handshake with the bank before you can do
    > your on-line banking. Without the key, no-one can get into your accounts.
    >
    > Trouble is, if the PC has been subverted by spyware, then the
    > controllers of that spyware can still observe everything you do, and an
    > even more malicious trojan could take over your machine after you've
    > logged on and transfer your money to another account, that kind of thing.
    >
    > In other words, a secure gadget that depends on an insecure PC to
    > operate is still insecure.
    >
    > I gather some NZ banks operate a two-factor system, where after logging
    > on with your PC, you get an SMS message on your cell phone with an
    > additional code that you need to enter before the logon can proceed.
    >
    > Actually this is still susceptible to the spyware problem. The only way
    > to get around this problem is to take Windows PCs completely out of the
    > loop.


    Make that any PC or device where keystrokes can be observed.
    Axle, Mar 13, 2005
    #2
    1. Advertising

  3. Lawrence D¹Oliveiro

    colinco Guest

    In article Lawrence D¹Oliveiro says...
    > I gather some NZ banks operate a two-factor system, where after logging
    > on with your PC, you get an SMS message on your cell phone with an
    > additional code that you need to enter before the logon can proceed.
    >
    > Actually this is still susceptible to the spyware problem. The only way
    > to get around this problem is to take Windows PCs completely out of the
    > loop.
    >
    >

    If the operator of the PC is in on the scam it doesn't matter what OS is
    used.
    colinco, Mar 13, 2005
    #3
  4. On Mon, 14 Mar 2005 10:22:27 +1300, colinco wrote:

    > In article Lawrence D¹Oliveiro says...
    >> I gather some NZ banks operate a two-factor system, where after logging
    >> on with your PC, you get an SMS message on your cell phone with an
    >> additional code that you need to enter before the logon can proceed.
    >>
    >> Actually this is still susceptible to the spyware problem. The only way
    >> to get around this problem is to take Windows PCs completely out of the
    >> loop.
    >>
    >>

    > If the operator of the PC is in on the scam it doesn't matter what OS is
    > used.


    unless you use a live-cd such as knoppix or BartsPE(windows) and check for
    hardware keyloggers
    and even then you have to inspect every machine between yourself and the
    banks server (ahhh aint cellular networks grand) oh and I mean the
    intarweb is cellular not the mobile phones version
    --

    Hardware, n.: The parts of a computer system that can be kicked
    Shane (aka froggy), Mar 13, 2005
    #4
  5. "Lawrence D¹Oliveiro" <_zealand> wrote in message
    news:...
    > Caught a bit of the item on TV1 this morning where this computer
    > consultant showed this gadget called the "I-Key", I think it was. This
    > is a little USB dongle that plugs into your PC and plays an integral
    > part in the authentication handshake with the bank before you can do
    > your on-line banking. Without the key, no-one can get into your accounts.
    >
    > Trouble is, if the PC has been subverted by spyware, then the
    > controllers of that spyware can still observe everything you do, and an
    > even more malicious trojan could take over your machine after you've
    > logged on and transfer your money to another account, that kind of thing.
    >
    > In other words, a secure gadget that depends on an insecure PC to
    > operate is still insecure.
    >
    > I gather some NZ banks operate a two-factor system, where after logging
    > on with your PC, you get an SMS message on your cell phone with an
    > additional code that you need to enter before the logon can proceed.
    >
    > Actually this is still susceptible to the spyware problem. The only way
    > to get around this problem is to take Windows PCs completely out of the
    > loop.


    Yes, but what good is your password to someone if there's still the need of
    a second authentication device that they don't have?

    This is actually quite secure, if the device generates one-time use
    passwords. People observing your connection will not be able to reuse your
    password without the device. This is akin to use biometrics for
    authentication on top of a password. Even if someone steals your thumb they
    still need your password.

    Security in many levels can be limited by things you know (password), things
    you have (a one-time password generator or token), things you are
    (biometrics).

    Thikn of banks sending a SMS with a code you have to enter before accepting
    a transfer transaction: like the one-time password generator, if the bad guy
    doesn't have your mobile phone, even with a password he will not be able to
    transfer the money.


    --
    Mauricio Freitas, Microsoft MVP Mobile Devices
    http://www.geekzone.co.nz
    Mauricio Freitas, Mar 13, 2005
    #5
  6. Lawrence D¹Oliveiro

    Rob J Guest

    In article <>, ldo@geek-
    central.gen.new_zealand says...
    > Caught a bit of the item on TV1 this morning where this computer
    > consultant showed this gadget called the "I-Key", I think it was. This
    > is a little USB dongle that plugs into your PC and plays an integral
    > part in the authentication handshake with the bank before you can do
    > your on-line banking. Without the key, no-one can get into your accounts.
    >
    > Trouble is, if the PC has been subverted by spyware, then the
    > controllers of that spyware can still observe everything you do, and an
    > even more malicious trojan could take over your machine after you've
    > logged on and transfer your money to another account, that kind of thing.
    >
    > In other words, a secure gadget that depends on an insecure PC to
    > operate is still insecure.
    >
    > I gather some NZ banks operate a two-factor system, where after logging
    > on with your PC, you get an SMS message on your cell phone with an
    > additional code that you need to enter before the logon can proceed.
    >
    > Actually this is still susceptible to the spyware problem. The only way
    > to get around this problem is to take Windows PCs completely out of the
    > loop.


    False. Replace "Mac PC" or "Linux PC" for Windows PC in the above and it
    might be half true. The malicious software producers will simply shift
    their focus to whatever platform is being used by the majority of online
    bankers. With 95% market share they can be assured of Windows users being
    an easy target.

    Two factor logins provide a unique code for every session, that can't be
    re-used across sessions, and are therefore very secure. How do you hack
    the code coming in on a cellphone call? A spyware producer can't
    intercept it. It is very secure.
    Rob J, Mar 13, 2005
    #6
  7. Lawrence D¹Oliveiro

    -=rjh=- Guest

    Axle wrote:
    >
    > Make that any PC or device where keystrokes can be observed.


    So why not avoid keystrokes completely - use a graphical one time pad,
    which is generated for each session. Might not be secure but I guess it
    would raise the bar somewhat.
    -=rjh=-, Mar 13, 2005
    #7
  8. Lawrence D¹Oliveiro

    Chris Hope Guest

    Rob J wrote:

    > In article <>, ldo@geek-
    > central.gen.new_zealand says...
    >> Caught a bit of the item on TV1 this morning where this computer
    >> consultant showed this gadget called the "I-Key", I think it was.
    >> This is a little USB dongle that plugs into your PC and plays an
    >> integral part in the authentication handshake with the bank before
    >> you can do your on-line banking. Without the key, no-one can get into
    >> your accounts.
    >>
    >> Trouble is, if the PC has been subverted by spyware, then the
    >> controllers of that spyware can still observe everything you do, and
    >> an even more malicious trojan could take over your machine after
    >> you've logged on and transfer your money to another account, that
    >> kind of thing.
    >>
    >> In other words, a secure gadget that depends on an insecure PC to
    >> operate is still insecure.
    >>
    >> I gather some NZ banks operate a two-factor system, where after
    >> logging on with your PC, you get an SMS message on your cell phone
    >> with an additional code that you need to enter before the logon can
    >> proceed.
    >>
    >> Actually this is still susceptible to the spyware problem. The only
    >> way to get around this problem is to take Windows PCs completely out
    >> of the loop.

    >
    > False. Replace "Mac PC" or "Linux PC" for Windows PC in the above and
    > it might be half true. The malicious software producers will simply
    > shift their focus to whatever platform is being used by the majority
    > of online bankers. With 95% market share they can be assured of
    > Windows users being an easy target.
    >
    > Two factor logins provide a unique code for every session, that can't
    > be re-used across sessions, and are therefore very secure. How do you
    > hack the code coming in on a cellphone call? A spyware producer can't
    > intercept it. It is very secure.


    And not only that, even if they keystroke log it what use is it? It will
    only work the one time which is the time they have just recorded. And
    it would be very hard to try to mount a brute force attack because each
    it's a random code each time the unique code is requested (and could be
    countered anyway by only allowing say 3 invalid logins in a 24 hour
    period).

    --
    Chris Hope - The Electric Toolbox - http://www.electrictoolbox.com/
    Chris Hope, Mar 13, 2005
    #8

  9. >> Two factor logins provide a unique code for every session, that can't
    >> be re-used across sessions, and are therefore very secure. How do you
    >> hack the code coming in on a cellphone call? A spyware producer can't
    >> intercept it. It is very secure.

    >
    > And not only that, even if they keystroke log it what use is it? It will
    > only work the one time which is the time they have just recorded. And
    > it would be very hard to try to mount a brute force attack because each
    > it's a random code each time the unique code is requested (and could be
    > countered anyway by only allowing say 3 invalid logins in a 24 hour
    > period).


    I've never understood this so forgive me if this way off...
    but if someones being keylogged dont they send off their initial
    authentication details then receive further authentication etc.
    with the second part being the difficult part to forge?
    So with all this in mind.. doesnt the keylogger just have to capture the
    first part of the authentication procedure.. which if they recreate on
    thei own computer will result in the banks server sending them the second
    half of the authentication procedure?
    or am I missing something?
    --

    Hardware, n.: The parts of a computer system that can be kicked
    Shane (aka froggy), Mar 13, 2005
    #9
  10. Lawrence D¹Oliveiro

    AD. Guest

    On Mon, 14 Mar 2005 10:22:27 +1300, colinco wrote:

    > In article Lawrence D¹Oliveiro says...
    >> I gather some NZ banks operate a two-factor system, where after logging
    >> on with your PC, you get an SMS message on your cell phone with an
    >> additional code that you need to enter before the logon can proceed.
    >>
    >> Actually this is still susceptible to the spyware problem. The only way
    >> to get around this problem is to take Windows PCs completely out of the
    >> loop.
    >>

    > If the operator of the PC is in on the scam it doesn't matter what OS is
    > used.


    Not using one time pads - then it doesn't matter what the PC sniffs.

    But they could be impractical for other reasons. I'd be happy to use them
    though.

    --
    Cheers
    Anton
    AD., Mar 13, 2005
    #10
  11. Lawrence D¹Oliveiro

    Chris Hope Guest

    Shane (aka froggy) wrote:

    >
    >>> Two factor logins provide a unique code for every session, that
    >>> can't be re-used across sessions, and are therefore very secure. How
    >>> do you hack the code coming in on a cellphone call? A spyware
    >>> producer can't intercept it. It is very secure.

    >>
    >> And not only that, even if they keystroke log it what use is it? It
    >> will only work the one time which is the time they have just
    >> recorded. And it would be very hard to try to mount a brute force
    >> attack because each it's a random code each time the unique code is
    >> requested (and could be countered anyway by only allowing say 3
    >> invalid logins in a 24 hour period).

    >
    > I've never understood this so forgive me if this way off...
    > but if someones being keylogged dont they send off their initial
    > authentication details then receive further authentication etc.
    > with the second part being the difficult part to forge?
    > So with all this in mind.. doesnt the keylogger just have to capture
    > the first part of the authentication procedure.. which if they
    > recreate on thei own computer will result in the banks server sending
    > them the second half of the authentication procedure?
    > or am I missing something?


    Step 1 - You log in with your login name and password. The keystroke
    logger reports this information back to whoever is logging it.

    Step 2 - An SMS message is fired off to your cellphone with a one off
    unique code of a few random characters long that has a limited lifespan
    of maybe ten minutes or so. If you don't enter it within that lifespan
    you have to go back to step 1. Note that this code is being sent by SMS
    not the internet, so there's no way the keystroke logger could
    intercept it until it's been entered at the keyboard.

    Step 3 - You enter this code and you get full access to the online
    banking system. The code is no longer useable. The keystroke logger
    logs this and reports it back to whoever.

    The unique code is now useless but the person trying to break in has the
    login name and password, so they can get to step 2 however many times
    they want. They don't need to actually get the SMS message and can
    attempt to guess the code. However if they fail then they have to go
    back to step 1 and receive a new code. They would have to be *very*
    lucky to guess the code as it's reset at each attempt. If the code is
    eg 6 characters long (a to z, 0 to 9) they would have to be very lucky
    indeed.

    --
    Chris Hope - The Electric Toolbox - http://www.electrictoolbox.com/
    Chris Hope, Mar 13, 2005
    #11

  12. > Step 2 - An SMS message is fired off to your cellphone with a one off
    > unique code of a few random characters long that has a limited lifespan
    > of maybe ten minutes or so. If you don't enter it within that lifespan
    > you have to go back to step 1. Note that this code is being sent by SMS
    > not the internet, so there's no way the keystroke logger could
    > intercept it until it's been entered at the keyboard.



    ahh the second part is sms.
    my bad

    --

    Hardware, n.: The parts of a computer system that can be kicked
    Shane (aka froggy), Mar 13, 2005
    #12
  13. Chris Hope said the following on 14/03/2005 11:32 a.m.:
    > Shane (aka froggy) wrote:
    >
    >
    >>>>Two factor logins provide a unique code for every session, that
    >>>>can't be re-used across sessions, and are therefore very secure. How
    >>>>do you hack the code coming in on a cellphone call? A spyware
    >>>>producer can't intercept it. It is very secure.
    >>>
    >>>And not only that, even if they keystroke log it what use is it? It
    >>>will only work the one time which is the time they have just
    >>>recorded. And it would be very hard to try to mount a brute force
    >>>attack because each it's a random code each time the unique code is
    >>>requested (and could be countered anyway by only allowing say 3
    >>>invalid logins in a 24 hour period).

    >>
    >>I've never understood this so forgive me if this way off...
    >>but if someones being keylogged dont they send off their initial
    >>authentication details then receive further authentication etc.
    >>with the second part being the difficult part to forge?
    >>So with all this in mind.. doesnt the keylogger just have to capture
    >>the first part of the authentication procedure.. which if they
    >>recreate on thei own computer will result in the banks server sending
    >>them the second half of the authentication procedure?
    >>or am I missing something?

    >
    >
    > Step 1 - You log in with your login name and password. The keystroke
    > logger reports this information back to whoever is logging it.
    >
    > Step 2 - An SMS message is fired off to your cellphone with a one off
    > unique code of a few random characters long that has a limited lifespan
    > of maybe ten minutes or so. If you don't enter it within that lifespan
    > you have to go back to step 1. Note that this code is being sent by SMS
    > not the internet, so there's no way the keystroke logger could
    > intercept it until it's been entered at the keyboard.
    >
    > Step 3 - You enter this code and you get full access to the online
    > banking system. The code is no longer useable. The keystroke logger
    > logs this and reports it back to whoever.
    >
    > The unique code is now useless but the person trying to break in has the
    > login name and password, so they can get to step 2 however many times
    > they want. They don't need to actually get the SMS message and can
    > attempt to guess the code. However if they fail then they have to go
    > back to step 1 and receive a new code. They would have to be *very*
    > lucky to guess the code as it's reset at each attempt. If the code is
    > eg 6 characters long (a to z, 0 to 9) they would have to be very lucky
    > indeed.
    >


    Okay it does make it improbable for a keylogger attack, but have a look
    at "man in the middle attacks", it would suceed against this security.
    --
    >>Follow ups may be set to a single group when appropriate!

    ======================================================================
    | Local 40.9000°S, 174.9830°E |
    ======================================================================
    "I used to jog, but the ice kept bouncing out of my glass."
    "With sufficient thrust, pigs fly just fine......
    However, this is not necessarily a good idea...."
    Collector»NZ, Mar 13, 2005
    #13
  14. Lawrence D¹Oliveiro

    Chris Hope Guest

    Bruce Sinclair wrote:

    > In article <>, Chris Hope
    > <> wrote: (snip)
    >>Step 1 - You log in with your login name and password. The keystroke
    >>logger reports this information back to whoever is logging it.
    >>Step 2 - An SMS message is fired off to your cellphone with a one off
    >>unique code of a few random characters long that has a limited
    >>lifespan of maybe ten minutes or so. If you don't enter it within that
    >>lifespan you have to go back to step 1. Note that this code is being
    >>sent by SMS not the internet, so there's no way the keystroke logger
    >>could intercept it until it's been entered at the keyboard.

    >
    > OK ... so ... can this sort of security work without a cell phone ?
    > ... and if not, will the banks provide one ? :)


    That's the catch...

    --
    Chris Hope - The Electric Toolbox - http://www.electrictoolbox.com/
    Chris Hope, Mar 13, 2005
    #14
  15. Lawrence D¹Oliveiro

    Chris Hope Guest

    Collector»NZ wrote:

    > Chris Hope said the following on 14/03/2005 11:32 a.m.:
    >> Shane (aka froggy) wrote:
    >>
    >>
    >>>>>Two factor logins provide a unique code for every session, that
    >>>>>can't be re-used across sessions, and are therefore very secure.
    >>>>>How do you hack the code coming in on a cellphone call? A spyware
    >>>>>producer can't intercept it. It is very secure.
    >>>>
    >>>>And not only that, even if they keystroke log it what use is it? It
    >>>>will only work the one time which is the time they have just
    >>>>recorded. And it would be very hard to try to mount a brute force
    >>>>attack because each it's a random code each time the unique code is
    >>>>requested (and could be countered anyway by only allowing say 3
    >>>>invalid logins in a 24 hour period).
    >>>
    >>>I've never understood this so forgive me if this way off...
    >>>but if someones being keylogged dont they send off their initial
    >>>authentication details then receive further authentication etc.
    >>>with the second part being the difficult part to forge?
    >>>So with all this in mind.. doesnt the keylogger just have to capture
    >>>the first part of the authentication procedure.. which if they
    >>>recreate on thei own computer will result in the banks server sending
    >>>them the second half of the authentication procedure?
    >>>or am I missing something?

    >>
    >>
    >> Step 1 - You log in with your login name and password. The keystroke
    >> logger reports this information back to whoever is logging it.
    >>
    >> Step 2 - An SMS message is fired off to your cellphone with a one off
    >> unique code of a few random characters long that has a limited
    >> lifespan of maybe ten minutes or so. If you don't enter it within
    >> that lifespan you have to go back to step 1. Note that this code is
    >> being sent by SMS not the internet, so there's no way the keystroke
    >> logger could intercept it until it's been entered at the keyboard.
    >>
    >> Step 3 - You enter this code and you get full access to the online
    >> banking system. The code is no longer useable. The keystroke logger
    >> logs this and reports it back to whoever.
    >>
    >> The unique code is now useless but the person trying to break in has
    >> the login name and password, so they can get to step 2 however many
    >> times they want. They don't need to actually get the SMS message and
    >> can attempt to guess the code. However if they fail then they have to
    >> go back to step 1 and receive a new code. They would have to be
    >> *very* lucky to guess the code as it's reset at each attempt. If the
    >> code is eg 6 characters long (a to z, 0 to 9) they would have to be
    >> very lucky indeed.
    >>

    >
    > Okay it does make it improbable for a keylogger attack, but have a
    > look at "man in the middle attacks", it would suceed against this
    > security.


    Doesn't the session being SSL encrypted help prevent that? Or is there
    some way to circumvent this?

    --
    Chris Hope - The Electric Toolbox - http://www.electrictoolbox.com/
    Chris Hope, Mar 13, 2005
    #15
  16. Chris Hope said the following on 14/03/2005 11:59 a.m.:
    > Collector»NZ wrote:
    >
    >
    >>Chris Hope said the following on 14/03/2005 11:32 a.m.:
    >>
    >>>Shane (aka froggy) wrote:
    >>>
    >>>
    >>>
    >>>>>>Two factor logins provide a unique code for every session, that
    >>>>>>can't be re-used across sessions, and are therefore very secure.
    >>>>>>How do you hack the code coming in on a cellphone call? A spyware
    >>>>>>producer can't intercept it. It is very secure.
    >>>>>
    >>>>>And not only that, even if they keystroke log it what use is it? It
    >>>>>will only work the one time which is the time they have just
    >>>>>recorded. And it would be very hard to try to mount a brute force
    >>>>>attack because each it's a random code each time the unique code is
    >>>>>requested (and could be countered anyway by only allowing say 3
    >>>>>invalid logins in a 24 hour period).
    >>>>
    >>>>I've never understood this so forgive me if this way off...
    >>>>but if someones being keylogged dont they send off their initial
    >>>>authentication details then receive further authentication etc.
    >>>>with the second part being the difficult part to forge?
    >>>>So with all this in mind.. doesnt the keylogger just have to capture
    >>>>the first part of the authentication procedure.. which if they
    >>>>recreate on thei own computer will result in the banks server sending
    >>>>them the second half of the authentication procedure?
    >>>>or am I missing something?
    >>>
    >>>
    >>>Step 1 - You log in with your login name and password. The keystroke
    >>>logger reports this information back to whoever is logging it.
    >>>
    >>>Step 2 - An SMS message is fired off to your cellphone with a one off
    >>>unique code of a few random characters long that has a limited
    >>>lifespan of maybe ten minutes or so. If you don't enter it within
    >>>that lifespan you have to go back to step 1. Note that this code is
    >>>being sent by SMS not the internet, so there's no way the keystroke
    >>>logger could intercept it until it's been entered at the keyboard.
    >>>
    >>>Step 3 - You enter this code and you get full access to the online
    >>>banking system. The code is no longer useable. The keystroke logger
    >>>logs this and reports it back to whoever.
    >>>
    >>>The unique code is now useless but the person trying to break in has
    >>>the login name and password, so they can get to step 2 however many
    >>>times they want. They don't need to actually get the SMS message and
    >>>can attempt to guess the code. However if they fail then they have to
    >>>go back to step 1 and receive a new code. They would have to be
    >>>*very* lucky to guess the code as it's reset at each attempt. If the
    >>>code is eg 6 characters long (a to z, 0 to 9) they would have to be
    >>>very lucky indeed.
    >>>

    >>
    >>Okay it does make it improbable for a keylogger attack, but have a
    >>look at "man in the middle attacks", it would suceed against this
    >>security.

    >
    >
    > Doesn't the session being SSL encrypted help prevent that? Or is there
    > some way to circumvent this?
    >

    It is as limited a form of protection as the users education about
    certificates.

    User establishes session with what they think is the bank, but it is a
    man in the middle, man in middle then establishes session with bank.
    cert for user is invalid (though that can be circumvented) they do end
    loser thing and click okay.
    Now what the users sends the bank goes to man in the middle, man in the
    middle uses that as they choose (empty account) Not as uncommon as you
    may think, but todate not on bank sites or that they have owned up to.

    If the user is not educated about trust relationships and certificates
    then no security scheme is foolproof except perhaps quantum encryption,
    which is not exactly common.



    --
    >>Follow ups may be set to a single group when appropriate!

    ======================================================================
    | Local 40.9000°S, 174.9830°E |
    ======================================================================
    "I used to jog, but the ice kept bouncing out of my glass."
    "With sufficient thrust, pigs fly just fine......
    However, this is not necessarily a good idea...."
    Collector»NZ, Mar 13, 2005
    #16
  17. In article <>, Chris Hope <> wrote:
    (snip)
    >Step 1 - You log in with your login name and password. The keystroke
    >logger reports this information back to whoever is logging it.
    >Step 2 - An SMS message is fired off to your cellphone with a one off
    >unique code of a few random characters long that has a limited lifespan
    >of maybe ten minutes or so. If you don't enter it within that lifespan
    >you have to go back to step 1. Note that this code is being sent by SMS
    >not the internet, so there's no way the keystroke logger could
    >intercept it until it's been entered at the keyboard.


    OK ... so ... can this sort of security work without a cell phone ? ... and
    if not, will the banks provide one ? :)

    >Step 3 - You enter this code and you get full access to the online
    >banking system. The code is no longer useable. The keystroke logger
    >logs this and reports it back to whoever.


    Bruce


    -----------------------------------------------------------------------
    It was so much easier to blame it on Them. It was bleakly depressing to
    think that They were Us. If it was Them, then nothing was anyone´s fault.
    If it was Us, what did that make Me ? After all, I´m one of Us. I must be.
    I´ve certainly never thought of myself as one of Them. No-one ever thinks
    of themselves as one of Them. We´re always one of Us. It´s Them that do
    the bad things. <=> Terry Pratchett. Jingo.

    Caution ===== followups may have been changed to relevant groups
    (if there were any)
    Bruce Sinclair, Mar 13, 2005
    #17
  18. Lawrence D¹Oliveiro

    Chris Hope Guest

    Collector»NZ wrote:

    [snip]

    >>>Okay it does make it improbable for a keylogger attack, but have a
    >>>look at "man in the middle attacks", it would suceed against this
    >>>security.

    >>
    >> Doesn't the session being SSL encrypted help prevent that? Or is
    >> there some way to circumvent this?
    >>

    > It is as limited a form of protection as the users education about
    > certificates.
    >
    > User establishes session with what they think is the bank, but it is a
    > man in the middle, man in middle then establishes session with bank.
    > cert for user is invalid (though that can be circumvented) they do end
    > loser thing and click okay.


    Wouldn't they be able to pass through the cert information as well as
    everything else to prevent the invalid cert info being displayed in the
    browser?

    > Now what the users sends the bank goes to man in the middle, man in
    > the middle uses that as they choose (empty account) Not as uncommon as
    > you may think, but todate not on bank sites or that they have owned up
    > to.


    Ouch, that's nasty. One last question... how does the man in the middle
    actually get themselves between you and the bank?

    --
    Chris Hope - The Electric Toolbox - http://www.electrictoolbox.com/
    Chris Hope, Mar 13, 2005
    #18
  19. Lawrence D¹Oliveiro

    Gavin Tunney Guest

    On Mon, 14 Mar 2005 09:52:46 +1300, Lawrence D¹Oliveiro
    <_zealand> wrote:

    >Caught a bit of the item on TV1 this morning where this computer
    >consultant showed this gadget called the "I-Key", I think it was. This
    >is a little USB dongle that plugs into your PC and plays an integral
    >part in the authentication handshake with the bank before you can do
    >your on-line banking. Without the key, no-one can get into your accounts.
    >


    One of the problems with a USB key is it requires an ActiveX control
    or similar, because a remote web server can't read the local disks
    without extra help. Anything that gives a web server local file access
    is in itself fundamentally insecure, Microsoft's move away from the
    sandbox principle (like that used for Java etc) is really the main
    reason we have so many issues with Internet Explorer and Windows.
    Windows has so many attack vectors MS have found it next to impossible
    to secure them all, so getting back to basics is a requisite IMO.

    There has been talk from the banks of an online keyboard run via an
    applet, for entering password into a banking etc site. That is a start
    at least.....would go some way to negating the use of keyloggers.

    >Trouble is, if the PC has been subverted by spyware, then the
    >controllers of that spyware can still observe everything you do, and an
    >even more malicious trojan could take over your machine after you've
    >logged on and transfer your money to another account, that kind of thing.
    >
    >In other words, a secure gadget that depends on an insecure PC to
    >operate is still insecure.


    True, but a combination of well thought out security measures should
    be able to defeat nearly all scams.

    >
    >I gather some NZ banks operate a two-factor system, where after logging
    >on with your PC, you get an SMS message on your cell phone with an
    >additional code that you need to enter before the logon can proceed.
    >


    There is a limit to what banks can do, even physical transactions
    aren't totally secure due to the vagaries of human nature. But it is
    possible to limit the amount of online banking fraud to what one might
    consider 'acceptable' levels. Using a home & away security system
    would be a good place to start IMO, one-off user names & passwords are
    unbreakable and can be used with potentially insecure PCs in places
    like internet cafes.

    Then there's other options such as multi-tier authentication depending
    on the type of transaction, the amount of money involved etc. It isn't
    very wise for the initial login authentication to allow one to
    transfer funds out of the account. Anyone who can login to the account
    gets root access which is a pretty poor way of doing it IMO.

    >Actually this is still susceptible to the spyware problem. The only way
    >to get around this problem is to take Windows PCs completely out of the
    >loop.


    Ah, a reasonable discussion spoiled by the usual tired anti-microsoft
    crap. What a surprise, and what a shame. FWIW taking Windows PCs out
    of the loop wouldn't get around the problem, far from it. There's no
    question that Windows security is more easily circumvented than Apple
    or Linux security on the average users computer, but to suggest that
    removing Windows machines from the banking equation would remove
    online banking fraud is to suggest the promoter of that view is
    severely lacking in common sense.

    Gavin
    Gavin Tunney, Mar 13, 2005
    #19
  20. Chris Hope said the following on 14/03/2005 12:47 p.m.:
    > Collector»NZ wrote:
    >
    > [snip]
    >
    >
    >>>>Okay it does make it improbable for a keylogger attack, but have a
    >>>>look at "man in the middle attacks", it would suceed against this
    >>>>security.
    >>>
    >>>Doesn't the session being SSL encrypted help prevent that? Or is
    >>>there some way to circumvent this?
    >>>

    >>
    >>It is as limited a form of protection as the users education about
    >>certificates.
    >>
    >>User establishes session with what they think is the bank, but it is a
    >>man in the middle, man in middle then establishes session with bank.
    >>cert for user is invalid (though that can be circumvented) they do end
    >>loser thing and click okay.

    >
    >
    > Wouldn't they be able to pass through the cert information as well as
    > everything else to prevent the invalid cert info being displayed in the
    > browser?

    There are means of doing this but i would choose not to discuss the
    methodology in a public forum
    >
    >
    >>Now what the users sends the bank goes to man in the middle, man in
    >>the middle uses that as they choose (empty account) Not as uncommon as
    >>you may think, but todate not on bank sites or that they have owned up
    >>to.

    >
    >
    > Ouch, that's nasty. One last question... how does the man in the middle
    > actually get themselves between you and the bank?
    >

    Many ways, from poisoning a router address table right up to subjugating
    a DNS server, there are many ways to achieve it it depends on whom. what
    and where.

    --
    >>Follow ups may be set to a single group when appropriate!

    ======================================================================
    | Local 40.9000°S, 174.9830°E |
    ======================================================================
    "I used to jog, but the ice kept bouncing out of my glass."
    "With sufficient thrust, pigs fly just fine......
    However, this is not necessarily a good idea...."
    Collector»NZ, Mar 13, 2005
    #20
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Colin `

    Mozilla 1.5 & Smile bank

    Colin `, Oct 13, 2003, in forum: Firefox
    Replies:
    6
    Views:
    513
    Leonidas Jones
    Oct 16, 2003
  2. BobT

    bank program problem

    BobT, Aug 24, 2004, in forum: Firefox
    Replies:
    2
    Views:
    423
    mike555
    Aug 26, 2004
  3. COMSOLIT Messmer

    IT-Security, Security, e-security

    COMSOLIT Messmer, Sep 5, 2003, in forum: Computer Support
    Replies:
    0
    Views:
    600
    COMSOLIT Messmer
    Sep 5, 2003
  4. mchiper

    Re: Bank of America or any Bank

    mchiper, Sep 6, 2003, in forum: Computer Security
    Replies:
    4
    Views:
    529
    Frode
    Sep 13, 2003
  5. Richard Pearrell

    salary at Chevy Chase Bank and PNC Bank

    Richard Pearrell, Jul 26, 2006, in forum: Computer Support
    Replies:
    2
    Views:
    946
    richard
    Jul 27, 2006
Loading...

Share This Page