Fwd: Re: [LINK] Security tokens

David Lochrin dlochrin at d2.net.au
Thu Nov 15 13:17:20 AEDT 2007 

----------  Forwarded Message  ----------

Subject: Re: [LINK] Security tokens
Date: Thursday 15 November 2007 11:51
From: steve jenkin <sjenkin at canb.auug.org.au>
To: dlochrin at d2.net.au

David Lochrin wrote on 15/11/07 11:26 AM:


The 'E-gold' trojan has been around for some time and hijacks an SSL connection post authentication.

That's as bad as you can get - it isn't MTM, but worse. SSL doesn't help. Users isn't aware of extra window either...

Using SSL for sign-on is mandatory - but only stops network based sniffing, can't stop malware snooping/injection.

The only counter is per-transaction authorisation.
"Out of band" alerts & auth (SMS) are ideal.

>    One bank, to take an example, only requests a token password when a user
> first establishes a session so a man-in-the-middle (MIM) attacker could
> presumably hijack the session after that point and take their time to do
> what they pleased.
>
>    It would be much better to request a token password when committing any
> "sensitive" (involving transfer of funds) transaction because the password
> could then be tied to the particular transaction.  It would have to be
> entered at a point in the user dialogue where the server asks for
> confirmation of a transaction it has already set up.
>
>    Having said that, I think all banks would use an SSL connection for the
> full duration of each browser session and I believe SSL provides good
> protection against MIM attacks.  Even so, use of token passwords when
> committing sensitive transactions would probably circumvent more
> sophisticated MIM attacks mediated by malware in a user's computer, if
> that's possible.
>
>    In the past, at least, I know of one share-trading institution which
> only used SSL during the authentication phase.
>
> David
> _______________________________________________
> Link mailing list
> Link at mailman.anu.edu.au
> http://mailman.anu.edu.au/mailman/listinfo/link

--
Steve Jenkin, Info Tech, Systems and Design Specialist.
0412 786 915 (+61 412 786 915)
PO Box 48, Kippax ACT 2615, AUSTRALIA

sjenkin at canb.auug.org.au http://members.tip.net.au/~sjenkin

-------------------------------------------------------

More information about the Link mailing list