AW: AW: AW: Magic Bullet (proposal for in-browser secure 2-way authentication resistent to online and offline attacks)

I completely agree with Florian. Banking Trojans are the main security
concern of German banks. One of them (Hypovereinsbank) issued a warning just
below the main login page about a Trojan that collected 4 transaction
numbers at once. 

To protect against MITM attacks, the ideal case would be to enter all
transaction data (account number, bank number, amount, challenge) into a
separate cryptographic OTP generator. However, this is a clear case of
usability vs. security. If at least the account number is entered, the
phisher needs the same account at another bank to be successful, otherwise
the manipulation will be detected by the bank.

Joerg

-----Ursprüngliche Nachricht-----
Von: Florian Weimer [mailto:fw@deneb.enyo.de] 
Gesendet: Donnerstag, 15. März 2007 12:24
An: Chris Drake
Cc: Jörg Schwenk; 'Dan Schutzer'; 'James A. Donald';
public-usable-authentication@w3.org
Betreff: Re: AW: AW: Magic Bullet (proposal for in-browser secure 2-way
authentication resistent to online and offline attacks)

* Chris Drake:

> How is this a solution?  Giving the man in the middle both the
> transaction number, and the answer to the random challenge still
> enables him to do whatever he wants (allbeit just "now", as opposed to
> anytime he wants "in future").

The response to the challenge is tied to the target bank account
number of the bank transfer (which is why the customer needs to enter
it on the token).

> Are German banks doing anything to help tell the customer that they're
> banking on the correct web site, and not some imitation phishing
> version?

Typically, the customer PC is compromised, so they are at risk even if
they visit the right web site.

> My guess is that they're not protecting against MiTM at all, and
> simply using disposable identifiers to minimize/limit phishing risks
> to single-sessions.

Uhm, no.  MITM is a significant concern.

Received on Friday, 16 March 2007 19:48:44 UTC