D&C GLug - Home Page

[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]

Re: [LUG] Linux to the rescue part2

 

Simon Waters wrote:
tom wrote:
Aint got a mobile phone - aint got a signal here.

Which is one reason not to do it. On the other hand they could call you
on a land line. Paypal, Ebay and Google already use SMS or telephones
widely for out of band checks on identity at various points.

Once again tho - what makes you fell SMS is secure?

I didn't say it was, on the other hand unless the compromised machines
is your mobile phone it gets around the issue of the end users computer
being compromised which WAS the problem being discussed.

The signal is available 'locally' so
that's crackable too.

Good luck - but a different problem and skill set. And when you say
"locally" you mean local to you not necessarily the person or group who
compromise Desktop PCs.

What makes you think the NatWest secure channel is
not vulnerable to man in the middle?

I outlined how it could be defeated with social engineering. Again it
may be that this secure channel is defeatable but that is a harder
problem than owning a desktop PC.

This is one of those 'unsolvable' problems

No the problem being discussed was what to do about compromised machines
- which is solvable - one solution is out of band communication. Also
the assumption that mobile phone and computer or phone and computer are
not one and the same isn't strong.
Recently a card reader in a local garage was compromised - any 'out of band' can in a situation like that - if sms becomes worth hacking someone will work out a way of doing it. Mobile phones are already hacked on a variety of levels and the same people who allow their computer to be compromised will be just those who allow their phones to be compromised too.
I'm not sure bootable CDs is a good solution since that will just
encourage people who compromise PCs to hack with your BIOS or other
state information between boots.

I saw random encryption techniques many years ago and have often
wondered what happened to it but it looked as good as you can get.

How exactly would this help for a compromised PC in online banking?
Because the intercepted data means nothing - its not like intercepting the post data and finding 'account' and then overloading that, or looking for any other details as these are identified by different means, generated individually each time, and encrypted differently. These things can be done in a way that makes it nigh on impossible for the data transferred either way to be identified mechanically quickly enough to undetectably interfere. Use of 3rd parties (via ajax ) as well can mean the only way to intercept AND send a valid response is financially more costly than any transaction redirect is worth. It just has to be done in such a way that its still user_friendly- and its not too hard.
Tom te tom te tom



--
The Mailing List for the Devon & Cornwall LUG
http://mailman.dclug.org.uk/listinfo/list
FAQ: http://www.dcglug.org.uk/linux_adm/list-faq.html