On 2012-02-26 15:45:34 -0600 (-0600), Marsh Ray wrote: [...] > So if the online banking site required TLS client authentication > with smart cards with on-chip RSA, the situation would be much > different. A MitM who succeeded in impersonating the site to the > user would be unable to replay or forward the user's credentials. In > theory, the user could not be socially engineered out of his > credentials (short of physically handing over his smart card). [...]
"Your login was successful, but due to recent security concerns we also require a one-time verification of your personal information. Please now enter the following... * Checking Account Number * Bank Routing Number * ATM Card Number * Card Expiraion Date * CCV Number * Full Name * Billing Address * Social Security Number * Drivers License Number Thank you for your cooperation. Please click here to log out and back in again. [hyperlink to actual impersonated site]" So sure, maybe not socially engineered out of his online banking credentials, just possibly everything else the attacker might want in lieu of access to the banking portal itself. Mutual authentication could thwart this if implemented well in a way which was very visible to the user, but also might not if implemented poorly (and it's not like banks are leading the way in well-thought-out authentication technologies, after all). Also working against this is that it's more expensive for banks to step up authentication past the level which government regulators consider to no longer be grossly negligent. Beyond there it's likely cheaper in the long run for banks to refund disputed transactions and replace compromised accounts (or wait for victims to get frustrated and give up/leave in disgust). -- { IRL(Jeremy_Stanley); WWW(http://fungi.yuggoth.org/); PGP(43495829); WHOIS(STANL3-ARIN); SMTP(fu...@yuggoth.org); FINGER(fu...@yuggoth.org); MUD(kin...@katarsis.mudpy.org:6669); IRC(fu...@irc.yuggoth.org#ccl); } _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography