Fwd: Re: [LINK] Security tokens
David Lochrin
dlochrin at d2.net.au
Thu Nov 15 13:17:20 AEDT 2007
---------- Forwarded Message ----------
Subject: Re: [LINK] Security tokens
Date: Thursday 15 November 2007 11:51
From: steve jenkin <sjenkin at canb.auug.org.au>
To: dlochrin at d2.net.au
David Lochrin wrote on 15/11/07 11:26 AM:
The 'E-gold' trojan has been around for some time and hijacks an SSL connection post authentication.
That's as bad as you can get - it isn't MTM, but worse. SSL doesn't help. Users isn't aware of extra window either...
Using SSL for sign-on is mandatory - but only stops network based sniffing, can't stop malware snooping/injection.
The only counter is per-transaction authorisation.
"Out of band" alerts & auth (SMS) are ideal.
> One bank, to take an example, only requests a token password when a user
> first establishes a session so a man-in-the-middle (MIM) attacker could
> presumably hijack the session after that point and take their time to do
> what they pleased.
>
> It would be much better to request a token password when committing any
> "sensitive" (involving transfer of funds) transaction because the password
> could then be tied to the particular transaction. It would have to be
> entered at a point in the user dialogue where the server asks for
> confirmation of a transaction it has already set up.
>
> Having said that, I think all banks would use an SSL connection for the
> full duration of each browser session and I believe SSL provides good
> protection against MIM attacks. Even so, use of token passwords when
> committing sensitive transactions would probably circumvent more
> sophisticated MIM attacks mediated by malware in a user's computer, if
> that's possible.
>
> In the past, at least, I know of one share-trading institution which
> only used SSL during the authentication phase.
>
> David
> _______________________________________________
> Link mailing list
> Link at mailman.anu.edu.au
> http://mailman.anu.edu.au/mailman/listinfo/link
--
Steve Jenkin, Info Tech, Systems and Design Specialist.
0412 786 915 (+61 412 786 915)
PO Box 48, Kippax ACT 2615, AUSTRALIA
sjenkin at canb.auug.org.au http://members.tip.net.au/~sjenkin
-------------------------------------------------------
More information about the Link
mailing list