Andy Steingruebl <[email protected]> writes: >On Sat, Sep 10, 2011 at 4:46 PM, John Levine <[email protected]> wrote: >> But Steve, generic malware runs on your PC or in your browser. =A0If >> they wanted to steal card numbers, they'd steal card numbers today, >> from the browser or by key logging, before the numbers got TLS-ed. >> Since they don't do it now, I don't see any reason to think they'd do >> it if it were easier to steal them other places. > >Do you have any data to support your assertion that malware isn't stealing >credit card numbers from individual PCs?
I realise you're kinda baiting him here :-), but for those who aren't familiar with this (is there anyone who isn't?), man-in-the-browser (MITB) attacks steal massive amounts of data every day. The MITB has custom rulesets tailored for individual financial institutions (several thousand in some cases) that bypass any protection mechanisms the banks (or whatever) may have in place. This is why European banks have been transitioning to, or in some countries have transitioned to, external auth devices that can't be compromised by PC trojans. In the case of smartphones the response has been to push the trojans out to the phone as well, but for specialised tokens the best attacks to date have been a few semantic attacks. Peter. _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
