[LINK] Banks eye bootable Linux CDs
Glen Turner
glen.turner at aarnet.edu.au
Sun Mar 27 12:40:34 EST 2005
David Lochrin wrote:
>
> Man-in-the-middle attacks like that are not possible with IPsec (encrypted & authenticated) transport
You've missed my point. SSL/IPsec secures the Bank computer<-->PC
connection. That's no much use if the PC is under the control
of a hostile program. In that case, one the user has authenticated
(with a token or otherwise) the hostile program can pump down
bogus transactions.
Transaction authentication moves the trust relationship from bank
mainframe <--> user's PC to bank mainframe <--> token. So the
token itself would need to be subverted to authorise a bogus
transaction.
> Authenticating each transaction shouldn't be necessary if the session is properly secured.
But it's not properly secured. User's PCs are crawling with hostile
programs -- viruses, spyware, trojans, etc.
More information about the Link
mailing list