On Tue, 31 Oct 2006 15:04:33 EST, "Richard M. Smith" said: > To log onto a bank account, one still uses a username and password. > However, the computer must also have a special "security" cookie set on the > computer. This cookie gets generated by the bank's Web site after someone > answers a number of "secret" questions about their account. An account can > also be locked down to only work on one particular computer. I'm not sure > what happens if someone clears out their browser cookies.
Oh dear, another security scheme that provides zero additional benefit if the PC in question has been pwned by any sort of keystroke logger or similar spyware - at that point snarfing up all the cookies in addition to user/pass is trivial. Of course, to be fair, it's *really* hard to do something in a secure manner when there's a very real non-zero chance that you're doing the computing on a platform that's controlled by the adversary. Anybody got good recent numbers on what % of PC's are essentially pwned by spyware/adware/etc (include *any* software that's able to "phone home" to update itself, as it means that added snoopware can be downloaded at any arbitrary time)?
pgpZMAfmu5lHQ.pgp
Description: PGP signature
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
