[LINK] Consumer computer security
rchirgwin at ozemail.com.au
rchirgwin at ozemail.com.au
Wed Jan 24 18:39:08 AEDT 2007
Glen wrote:
>
>That's a real problem for the bank's applications programmer, since
>they now have no way to correct the deficiencies of the operating
>system. For example, both Windows and Linux will allow secrets to
>be entered through the keyboard whereas the applications programmer
>might prefer them to be entered using a randomised on-screen keyboard
>so that keyloggers cannot replay the keys.
>
>
Well ... we could go "back to the future", and give up the convenience
of the browser, instead having consumers use a purpose-built application
from the bank. The first Advance Bank application I used was delivered
as an EXE on a floppy disk; then so you could install it, you had to
phone a number which recited the program's hash, which you typed in so
as to complete the install.
OK: this would not be 100% secure against (say) eavesdropping on the
network, but it would break the back of phishing, because you could not
invoke the application from the e-mail or the Web browser. Would this be
so much more expensive than, for example, shipping tokens to customers?
Of course, an installed logger could capture key data and, I suppose,
mouse clicks, but you would still need an authenticated copy of the
application to use captured data. This may be avoidable or beatable?
I fully expect bigger brains to shoot down the idea (for eg, "what about
Linux"? Answer: have the application compiled cross-platform). But the
bank would also get better traceability of application usage. The loss
of convenience is that the app is not so easily transportable ... but
only a fool banks from Internet cafes.
RC
>Without changes to PC hardware there are no simple answers here. The
>PC even lacks a genuine Secure Attention Key so that you can be
>sure your Linux Live CD for Banking is loading on real hardware rather
>than some nefarious emulator.
>
>There's also the problem of secure delivery of the Live CD.
>
>But we're starting from a low base here, so I suppose any
>improvement is worthwhile.
>
>
>
>
More information about the Link
mailing list