[LINK] Banks eye bootable Linux CDs
tony at tony-barry.emu.id.au
Sun Mar 27 07:35:13 EST 2005
Begin forwarded message:
> The attached message has been automatically discarded.
> From: David Lochrin <dlochrin at d2.net.au>
> Date: 26 March 2005 2:41:19 PM
> To: Link <link at anu.edu.au>
> Cc: Glen Turner <glen.turner at aarnet.edu.au>, brd at iimetro.com.au
> Subject: Re: [LINK] Banks eye bootable Linux CDs
> Reply-To: dlochrin at d2.net.au
> On Thu, 24 Mar 2005 19:39, Glen Turner wrote:
>> The problem with the token stuff I've seen so far is that
>> they authenticate the connection to the bank, not authorise
>> the transaction.
>> So if someone hijaaks the PC they need merely wait until
>> the user initiates their banking session before nastily
>> draining the account. Better than the current scenario,
>> but not by much.
> Man-in-the-middle attacks like that are not possible with IPsec
> (encrypted & authenticated) transport, and I imagine (hope) not with
> SSL but I'm not sure.
> However I notice that CommSec at least do not appear to encrypt the
> whole session, only the initial login. That certainly could lead to
> the sort of MITM attacks you describe, though an attacker could only
> buy & sell shares on the victim's behalf and not actually steal
> Authenticating each transaction shouldn't be necessary if the session
> is properly secured. In any case, that seems to have exactly the same
> security weaknesses as authenticating the whole session.
>> Cynics might say that it's better for the banks, since
>> users would find it too difficult to repudiate the
>> bogus transaction.
> Dear, dear me - Link is full of cynics!! It would be very interesting
> to know more detail about losses from Internet banking, how often the
> banks decline to make good losses, and whether they are putting any
> pressure on Microsoft to lift their game.
phone : 02 6241 7659 | mailto:me at Tony-Barry.emu.id.au
mobile: 04 1242 0397 | http://tony-barry.emu.id.au
More information about the Link