[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
tom wrote: > > I'm sure banks could come up with very secure methods > online - irrespective of how shit your home OS is security wise. It isn't possible without some sort of out of band communication. In any transaction to have a secure channel you need to be sure that both ends are who they say they are. If your OS is compromised it is game over at step one for most online banking systems. When you can't point a browser at a URL or IP address and expect it to deliver content from your bank, when you can't trust your SSL library, you have to do something else to establish trust and that brings in expense and complexity. NatWest have gone with making your end point a card reader they send you. So that the secure channel is between the bank and the card reader. Although this may still be exploitable if none of the information on your screen is trustworthy, since that screen includes information on what to do if something goes wrong. i.e. You select "Pay Electricity company", but this is sent to the bank as "Pay crook", and the transaction you sign is thus pay crook, and when you think something is wrong you ring the phone number of the website and tell them any extra data they need to "authenticate yourself". Probably the "cheapest" solution would be to authenticate all online transactions via SMS, so someone has to steal your mobile phone and compromise your PC. Although that doesn't work well for banking done using your mobile phones browser if the phone has been owned. -- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/linux_adm/list-faq.html