[145039] in cryptography@c2.net mail archive
Crypto dongles to secure online transactions
daemon@ATHENA.MIT.EDU (John Levine)
Sun Nov 8 13:07:18 2009
Date: 8 Nov 2009 07:07:44 -0000
From: John Levine <johnl@iecc.com>
To: cryptography@metzdowd.com
At a meeting a few weeks ago I was talking to a guy from BITS, the
e-commerce part of the Financial Services Roundtable, about the way
that malware infected PCs break all banks' fancy multi-password logins
since no matter how complex the login process, a botted PC can wait
until you login, then send fake transactions during your legitimate
session. This is apparently a big problem in Europe.
I told him about an approach to use a security dongle that puts the
display and confirmation outside the range of the malware, and
although I thought it was fairly obvious, he'd apparently never heard
it before. When I said I'd been thinking about it for a while, he
asked if I could write it up so we could discuss it further.
So before I send it off, if people have a moment could you look at it
and tell me if I'm missing something egregiously obvious? Tnx.
I've made it an entry in my blog at
http://weblog.johnlevine.com/Money/securetrans.html
Ignore the 2008 date, a temporary fake to keep it from showing up on
the home page and RSS feed.
R's,
John
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
