- From: Willy Tarreau <w@1wt.eu>
- Date: Wed, 28 Mar 2012 13:04:31 +0200
- To: Henry Story <henry.story@bblfish.net>
- Cc: "Adrien W. de Croy" <adrien@qbik.com>, Martin Thomson <martin.thomson@gmail.com>, HTTP Working Group <ietf-http-wg@w3.org>
On Wed, Mar 28, 2012 at 12:15:31PM +0200, Henry Story wrote: > > From: "Henry Story" <henry.story@bblfish.net> > >> > >> So your argument is stronger, since you argue that a lot of computers are malware > >> infested. Of course there the thing to do is for banks to add other methods of > >> verification or notification, > >> > > you're right on this count. One of my banks used to rely just on > > SSL/TLS. > > > > Now I have to carry a watch-word around... in fact 3 of them for my 3 > > banks. > > They could also just use systems such as those they use for credit cards: to > look at usage patterns. Sending an SMS is also a good method, using a different > system. Believe me this is already been done. It looks like you have no idea what the malware market is right now. did you hear about Zitmo for instance. In short, malware in the mobile is already able to catch your SMS and to correlate them with your PC session. Malware in the browser is already able to record your soft cards after a few uses, or to take snapshots of the areas you click on the screen and decode virtual keyboards. It's not science-fiction, it's for real. Right now it's not a big issue only because banks resolve the issue pretty much in favor of the user. For how long will this last ? I have no idea. Sure we must secure the lower layer, but this is already been done everywhere the bad is done. Willy
Received on Wednesday, 28 March 2012 11:05:09 UTC