I completely agree with Florian. Banking Trojans are the main security concern of German banks. One of them (Hypovereinsbank) issued a warning just below the main login page about a Trojan that collected 4 transaction numbers at once. To protect against MITM attacks, the ideal case would be to enter all transaction data (account number, bank number, amount, challenge) into a separate cryptographic OTP generator. However, this is a clear case of usability vs. security. If at least the account number is entered, the phisher needs the same account at another bank to be successful, otherwise the manipulation will be detected by the bank. Joerg -----Ursprüngliche Nachricht----- Von: Florian Weimer [mailto:fw@deneb.enyo.de] Gesendet: Donnerstag, 15. März 2007 12:24 An: Chris Drake Cc: Jörg Schwenk; 'Dan Schutzer'; 'James A. Donald'; public-usable-authentication@w3.org Betreff: Re: AW: AW: Magic Bullet (proposal for in-browser secure 2-way authentication resistent to online and offline attacks) * Chris Drake: > How is this a solution? Giving the man in the middle both the > transaction number, and the answer to the random challenge still > enables him to do whatever he wants (allbeit just "now", as opposed to > anytime he wants "in future"). The response to the challenge is tied to the target bank account number of the bank transfer (which is why the customer needs to enter it on the token). > Are German banks doing anything to help tell the customer that they're > banking on the correct web site, and not some imitation phishing > version? Typically, the customer PC is compromised, so they are at risk even if they visit the right web site. > My guess is that they're not protecting against MiTM at all, and > simply using disposable identifiers to minimize/limit phishing risks > to single-sessions. Uhm, no. MITM is a significant concern.
Received on Friday, 16 March 2007 19:48:44 UTC