Heyman, Michael wrote:
Defense in depth can help against spoofing - this includes valid
certificates, personalization (even if it is the less-than-optimal
Citibank-like solution), PetName, etc. Man-in-the-middle is harder given
that we have such a high false positive rate on our best weapon.
i
Heyman, Michael [EMAIL PROTECTED] writes:
The false positive I was referring to is the something is telling me
something unimportant positive. I didn't mean to infer that the users
likely went through a thought process centered around the possible causes of
the certificate failure, specifically
On Wednesday 01 June 2005 23:38, Anne Lynn Wheeler wrote:
in theory, the KISS part of SSL's countermeasure for MITM-attack ... is
does the URL you entered match the URL in the provided certificate. An
attack is inducing a fraudulent URL to be entered for which the
attackers have a valid
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Peter Gutmann
Sent: Tuesday, May 31, 2005 1:29 PM
In this situation, I believe that the users, through hard won
experience with computers, _correctly_ assumed this was a
false positive.
Probably not.
[SNIP text on user's
On Sat, May 28, 2005 at 10:47:56AM -0700, James A. Donald wrote:
[..]
With bank web sites, experience has shown that only 0.3%
of users are deterred by an invalid certificate,
probably because very few users have any idea what a
certificate authority is, what it does, or why they
should
James A. Donald [EMAIL PROTECTED] writes:
With bank web sites, experience has shown that only 0.3% of users are
deterred by an invalid certificate, probably because very few users have any
idea what a certificate authority is, what it does, or why they should care.
James (and others): I really
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of James A. Donald
Sent: Saturday, May 28, 2005 1:48 PM
With bank web sites, experience has shown that only 0.3% of
users are deterred by an invalid certificate, probably
because very few users have any idea what a certificate
On Saturday 28 May 2005 18:47, James A. Donald wrote:
Do we have any comparable experience on SSH logins?
Existing SSH uses tend to be geek oriented, and do not
secure stuff that is under heavy attack. Does anyone
have any examples of SSH securing something that was
valuable to the user,
With bank web sites, experience has shown that only 0.3%
of users are deterred by an invalid certificate,
probably because very few users have any idea what a
certificate authority is, what it does, or why they
should care. (And if you have seen the experts debating
what a certificate
On Tue, May 31, 2005 at 02:45:56PM +0100, Ian G wrote:
On Saturday 28 May 2005 18:47, James A. Donald wrote:
Do we have any comparable experience on SSH logins?
Existing SSH uses tend to be geek oriented, and do not
secure stuff that is under heavy attack. Does anyone
have any
Heyman, Michael [EMAIL PROTECTED] writes:
In this situation, I believe that the users, through hard won experience with
computers, _correctly_ assumed this was a false positive.
Probably not. This issue was discussed at some length on the hcisec list,
(security usability,
Ed Gerck wrote:
Suppose you choose A4RT as your codeword. The codeword has no privacy
concern
(it does not identify you) and is dynamic -- you can change it at will,
if you
suspect someone else got it.
Compare with the other two identifiers that Citibank is using. Your full
name
is private
Adam Fields wrote:
Moreover, in my experience (as I've mentioned before on this list),
noticing an invalid certificate is absolutely useless if the banks
won't verify via another channel a) that it changed, b) what the new
value is or c) what the old value is.
I've tried. They won't/can't.
Bank of America is adopting some new schemes that might help. First,
they're asking users to select a picture the user selected at
registration time. The theory is presumably that a phishing site won't
have the right image for you. Second, you can register your
computer; if your account is
Steven M. Bellovin wrote:
Bank of America is adopting some new schemes that might help. First,
they're asking users to select a picture the user selected at
registration time. The theory is presumably that a phishing site won't
have the right image for you. Second, you can register your
Steven M. Bellovin wrote:
Bank of America is adopting some new schemes that might help. First,
they're asking users to select a picture the user selected at
registration time. The theory is presumably that a phishing site won't
have the right image for you. Second, you can register your
just for the heck of it ... something today more from the physical world
ATM scams added to GASAs fraud library
http://www.atmmarketplace.com/news_story_23307.htm
CAPE TOWN, South Africa and BROOKINGS, S.D. The ATM Industry
Association's Global ATM Security Alliance launched its online
oops, sorry, forgot to include this one
Hong Kong banks to introduce two-factor authentication for online
transactions
http://www.finextra.com/fullstory.asp?id=13744
Banks in Hong Kong are set to introduce two-factor authentication
services to the country's 2.7 million Internet banking
Ed Gerck wrote:
Also, in an effort to make their certs more valuable, CAs have made
digitally
signed messages imply too much -- much more than they warrant or can
even represent.
There are now all sorts of legal implications tied to PKI signatures, in
my opinion
largely exagerated and
But from your point, the codeword would be in the clear as well.
Respectively speaking, I don't see how either solution would solve this.
Ed Gerck wrote:
List,
In an effort to stop phishing emails, Citibank is including in a plaintext
email the full name of the account holder and the last
Suppose you choose A4RT as your codeword. The codeword has no privacy concern
(it does not identify you) and is dynamic -- you can change it at will, if you
suspect someone else got it.
Compare with the other two identifiers that Citibank is using. Your full name
is private and static. The ATM's
On May 26, 2005, at 13:24, Ed Gerck wrote:
A better solution, along the same lines, would have been for Citibank
to
ask from their account holders when they login for Internet banking,
whether they would like to set up a three- or four-character
combination
to be used in all emails from the
Wells Fargo reported to me some time ago that they tried using digitally
signed S/MIME email messages and it did not work even for their _own employees_.
Also, in an effort to make their certs more valuable, CAs have made digitally
signed messages imply too much -- much more than they warrant or
--
On 26 May 2005 at 11:24, Ed Gerck wrote:
A better solution, along the same lines, would have
been for Citibank to ask from their account holders
when they login for Internet banking, whether they
would like to set up a three- or four-character
combination to be used in all emails
List,
In an effort to stop phishing emails, Citibank is including in a plaintext
email the full name of the account holder and the last four digits of the
ATM card.
Not only are these personal identifiers sent in an insecure communication,
such use is not authorized by the person they identify.
25 matches
Mail list logo
