Gary Warner wrote: > Here's an interesting approach to dealing with the Graphical Keypads > that Standard Bank uses on their website to avoid Keylogger interception > of PIN numbers: > > http://www.99fcc.com/images/stories/Standard.html > > This phisher just placed a graphic where the PIN Pad was supposed to be > that says: > > PIN Pad is > discontinued > > and gives a box for the customer to type his PIN instead.
If you read enough of my older posts to various security lists about the grevious flaws in most "we'll get around the wiley hackers but still use an untrusted endpoint as the client" you'll see that such shortcomings of such stupidities are well know/expected for a veeeery loooong time now... Any security mechanism that (largely) only depends on input or output via an untrustable device is trivially beaten by client and/or network interception. Worse, as in this case, the "obviousness" of many of the attacks against such things which would probably prevent most of the institutions customers falling for such an "attack" (if they even accepted the bait and visitied the dubious page), is entirely lost on just those customers that MOST need all the extra help they can be given. Regards, Nick FitzGerald _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
