[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
Simon Waters wrote:
Aint got a mobile phone - aint got a signal here. Once again tho - what makes you fell SMS is secure? The signal is available 'locally' so that's crackable too. What makes you think the NatWest secure channel is not vulnerable to man in the middle? Does it use quantum entangling cos if it doesn't it will be vulnerable. This is one of those 'unsolvable' problems - whatever you do the problem merely moves somewhere else in the system , never ever goes away. So live with that, work 'round' it - make it so difficult for the crook its not worth the effort, by the time they've identified the method of security chosen for a particular transaction its too late for them to exploit it. I saw random encryption techniques many years ago and have often wondered what happened to it but it looked as good as you can get.tom wrote:I'm sure banks could come up with very secure methods online - irrespective of how shit your home OS is security wise.It isn't possible without some sort of out of band communication. In any transaction to have a secure channel you need to be sure that both ends are who they say they are. If your OS is compromised it is game over at step one for most online banking systems. When you can't point a browser at a URL or IP address and expect it to deliver content from your bank, when you can't trust your SSL library, you have to do something else to establish trust and that brings in expense and complexity. NatWest have gone with making your end point a card reader they send you. So that the secure channel is between the bank and the card reader. Although this may still be exploitable if none of the information on your screen is trustworthy, since that screen includes information on what to do if something goes wrong. i.e. You select "Pay Electricity company", but this is sent to the bank as "Pay crook", and the transaction you sign is thus pay crook, and when you think something is wrong you ring the phone number of the website and tell them any extra data they need to "authenticate yourself". Probably the "cheapest" solution would be to authenticate all online transactions via SMS, so someone has to steal your mobile phone and compromise your PC. Although that doesn't work well for banking done using your mobile phones browser if the phone has been owned.
Tom te tom te tom -- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/linux_adm/list-faq.html