[LINK] PCs bad for banking: expert
rchirgwin at ozemail.com.au
rchirgwin at ozemail.com.au
Thu Mar 17 12:27:22 EST 2005
OK, delete Java. And we can debate multiplatform some other time. Just picking on one point of contention:
> Craig Sanders wrote:
>
> >Specs:
> >> - use a cross platform environment (Java perhaps?)
> >> - distribute the software
> >> - require users to authenticate the application offline (the
> >> inconvenient but functional Advance Bank application, in which you got
> >> the authentication key over the phone, for example)
> >> - do not accept login from an application which cannot verify itself.
> >>
> >> Those are minima, I would fully expect better brains than mine to add to
> >> the list.
>
>
> > this does not solve the problem. if the OS is compromised with
> > a keystroke logger, it doesnt matter at all whether the banking
> > application is a browser, a compiled C/C++ app, or a java app. the
> > keylogger will grab the login & password details anyway.
So what? You now have the login and password details. But this isn't browser banking.
Case 1: stolen account info
- useless without the client software
Case 2: stolen account info and a copy of the client software
- defence: a business rule which says "client software may only be associated with a customer". So when you try to authenticate the client software to impersonate "me", you're unable to do so.
Security isn't just the software, it's also the business rules. But the browser is, intrinsically, part of the problem. We've seen redirect hijacks on things other than IE.
RC
This message was sent through MyMail http://www.mymail.com.au
More information about the Link
mailing list