[LINK] Banks eye bootable Linux CDs

[Antony Barry]

Begin forwarded message:
>
> The attached message has been automatically discarded.
> From: David Lochrin <dlochrin at d2.net.au>
> Date: 26 March 2005 2:41:19 PM
> To: Link <link at anu.edu.au>
> Cc: Glen Turner <glen.turner at aarnet.edu.au>, brd at iimetro.com.au
> Subject: Re: [LINK] Banks eye bootable Linux CDs
> Reply-To: dlochrin at d2.net.au
>
>
> On Thu, 24 Mar 2005 19:39, Glen Turner wrote:
>> The problem with the token stuff I've seen so far is that
>> they authenticate the connection to the bank, not authorise
>> the transaction.
>>
>> So if someone hijaaks the PC they need merely wait until
>> the user initiates their banking session before nastily
>> draining the account.  Better than the current scenario,
>> but not by much.
>
> Man-in-the-middle attacks like that are not possible with IPsec 
> (encrypted & authenticated) transport, and I imagine (hope) not with 
> SSL but I'm not sure.
>
> However I notice that CommSec at least do not appear to encrypt the 
> whole session, only the initial login.  That certainly could lead to 
> the sort of MITM attacks you describe, though an attacker could only 
> buy & sell shares on the victim's behalf and not actually steal 
> anything.
>
> Authenticating each transaction shouldn't be necessary if the session 
> is properly secured.  In any case, that seems to have exactly the same 
> security weaknesses as authenticating the whole session.
>
>> Cynics might say that it's better for the banks, since
>> users would find it too difficult to repudiate the
>> bogus transaction.
>
> Dear, dear me - Link is full of cynics!!  It would be very interesting 
> to know more detail about losses from Internet banking, how often the 
> banks decline to make good losses, and whether they are putting any 
> pressure on Microsoft to lift their game.
>
> ADL
>
>
>
phone : 02 6241 7659 | mailto:me at Tony-Barry.emu.id.au
mobile: 04 1242 0397 | http://tony-barry.emu.id.au