Ian G wrote:
> This will change,. I predict that the banks will end up
with the liability for phishing, for good or for bad, and
they will then find it in their hearts to finance the add-ons,
which will battle it out, thus leading to the 'best practices'
which will be incorporated into the bro
On Wednesday 01 June 2005 23:38, Anne & Lynn Wheeler wrote:
> in theory, the KISS part of SSL's countermeasure for MITM-attack ... is
> does the URL you entered match the URL in the provided certificate. An
> attack is inducing a fraudulent URL to be entered for which the
> attackers have a valid c
"Heyman, Michael" <[EMAIL PROTECTED]> writes:
>The false positive I was referring to is the "something is telling me
>something unimportant" positive. I didn't mean to infer that the users
>likely went through a thought process centered around the possible causes of
>the certificate failure, speci
Heyman, Michael wrote:
Defense in depth can help against spoofing - this includes valid
certificates, personalization (even if it is the less-than-optimal
Citibank-like solution), PetName, etc. Man-in-the-middle is harder given
that we have such a high false positive rate on our best weapon.
i
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Peter Gutmann
> Sent: Tuesday, May 31, 2005 1:29 PM
>
> >In this situation, I believe that the users, through hard won
> >experience with computers, _correctly_ assumed this was a
> >false positive.
>
> Probably not.
> [SNIP tex
Ed Gerck wrote:
Also, in an effort to make their certs more valuable, CAs have made
digitally
signed messages imply too much -- much more than they warrant or can
even represent.
There are now all sorts of legal implications tied to PKI signatures, in
my opinion
largely exagerated and casuisti
oops, sorry, forgot to include this one
Hong Kong banks to introduce two-factor authentication for online
transactions
http://www.finextra.com/fullstory.asp?id=13744
Banks in Hong Kong are set to introduce two-factor authentication
services to the country's 2.7 million Internet banking custom
just for the heck of it ... something today more from the physical world
ATM scams added to GASA’s fraud library
http://www.atmmarketplace.com/news_story_23307.htm
CAPE TOWN, South Africa and BROOKINGS, S.D. — The ATM Industry
Association's Global ATM Security Alliance launched its online libra
Steven M. Bellovin wrote:
Bank of America is adopting some new schemes that might help. First,
they're asking users to select a picture the user selected at
registration time. The theory is presumably that a phishing site won't
have the right image for you. Second, you can "register" your
c
Steven M. Bellovin wrote:
Bank of America is adopting some new schemes that might help. First,
they're asking users to select a picture the user selected at
registration time. The theory is presumably that a phishing site won't
have the right image for you. Second, you can "register" your
c
Bank of America is adopting some new schemes that might help. First,
they're asking users to select a picture the user selected at
registration time. The theory is presumably that a phishing site won't
have the right image for you. Second, you can "register" your
computer; if your account is
Adam Fields wrote:
Moreover, in my experience (as I've mentioned before on this list),
noticing an invalid certificate is absolutely useless if the banks
won't verify via another channel a) that it changed, b) what the new
value is or c) what the old value is.
I've tried. They won't/can't.
one
Ed Gerck wrote:
Suppose you choose "A4RT" as your codeword. The codeword has no privacy
concern
(it does not identify you) and is dynamic -- you can change it at will,
if you
suspect someone else got it.
Compare with the other two identifiers that Citibank is using. Your full
name
is private
"Heyman, Michael" <[EMAIL PROTECTED]> writes:
>In this situation, I believe that the users, through hard won experience with
>computers, _correctly_ assumed this was a false positive.
Probably not. This issue was discussed at some length on the hcisec list,
(security usability, http://groups.yah
On Tue, May 31, 2005 at 02:45:56PM +0100, Ian G wrote:
> On Saturday 28 May 2005 18:47, James A. Donald wrote:
>
> > Do we have any comparable experience on SSH logins?
> > Existing SSH uses tend to be geek oriented, and do not
> > secure stuff that is under heavy attack. Does anyone
> > have an
With bank web sites, experience has shown that only 0.3%
of users are deterred by an invalid certificate,
probably because very few users have any idea what a
certificate authority is, what it does, or why they
should care. (And if you have seen the experts debating
what a certificate autho
On Saturday 28 May 2005 18:47, James A. Donald wrote:
> Do we have any comparable experience on SSH logins?
> Existing SSH uses tend to be geek oriented, and do not
> secure stuff that is under heavy attack. Does anyone
> have any examples of SSH securing something that was
> valuable to the user
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of James A. Donald
> Sent: Saturday, May 28, 2005 1:48 PM
>
> With bank web sites, experience has shown that only 0.3% of
> users are deterred by an invalid certificate, probably
> because very few users have any idea what a certif
"James A. Donald" <[EMAIL PROTECTED]> writes:
>With bank web sites, experience has shown that only 0.3% of users are
>deterred by an invalid certificate, probably because very few users have any
>idea what a certificate authority is, what it does, or why they should care.
James (and others): I re
On Sat, May 28, 2005 at 10:47:56AM -0700, James A. Donald wrote:
[..]
> With bank web sites, experience has shown that only 0.3%
> of users are deterred by an invalid certificate,
> probably because very few users have any idea what a
> certificate authority is, what it does, or why they
> shou
--
On 26 May 2005 at 11:24, Ed Gerck wrote:
> A better solution, along the same lines, would have
> been for Citibank to ask from their account holders
> when they login for Internet banking, whether they
> would like to set up a three- or four-character
> combination to be used in all emai
Wells Fargo reported to me some time ago that they tried using digitally
signed S/MIME email messages and it did not work even for their _own employees_.
Also, in an effort to make their certs more valuable, CAs have made digitally
signed messages imply too much -- much more than they warrant or
On May 26, 2005, at 13:24, Ed Gerck wrote:
A better solution, along the same lines, would have been for Citibank
to
ask from their account holders when they login for Internet banking,
whether they would like to set up a three- or four-character
combination
to be used in all emails from the ba
Suppose you choose "A4RT" as your codeword. The codeword has no privacy concern
(it does not identify you) and is dynamic -- you can change it at will, if you
suspect someone else got it.
Compare with the other two identifiers that Citibank is using. Your full name
is private and static. The ATM'
But from your point, the codeword would be in the clear as well.
Respectively speaking, I don't see how either solution would solve this.
Ed Gerck wrote:
List,
In an effort to stop phishing emails, Citibank is including in a plaintext
email the full name of the account holder and the last fou
List,
In an effort to stop phishing emails, Citibank is including in a plaintext
email the full name of the account holder and the last four digits of the
ATM card.
Not only are these personal identifiers sent in an insecure communication,
such use is not authorized by the person they identify.
26 matches
Mail list logo
