[145045] in cryptography@c2.net mail archive
Re: Crypto dongles to secure online transactions
daemon@ATHENA.MIT.EDU (Thorsten Holz)
Mon Nov 9 20:01:15 2009
From: Thorsten Holz <thorsten.holz@informatik.uni-mannheim.de>
In-Reply-To: <20091108070744.1600.qmail@simone.iecc.com>
Date: Sun, 8 Nov 2009 18:45:58 -0600
Cc: cryptography@metzdowd.com
To: John Levine <johnl@iecc.com>
On 08.11.2009, at 01:07, John Levine wrote:
> I've made it an entry in my blog at
>
> http://weblog.johnlevine.com/Money/securetrans.html
Actually this type of problem is pretty common in Europe, most banks
have to deal with malware that threatens their customers. One of the
most advanced keyloggers out there is currently URLZone, which can
also perform MitM attacks and transparently re-routes money transfers,
defeating iTan (index transaction number) systems (see http://www.finjan.com/MCRCblog.aspx?EntryId=2345
).
There are several approaches to stop (or at least make it more
difficult) this attack vector. A prototype of a system that implements
the techniques described in your blog posting was presented by IBM
Zurich about a year ago, see http://www-03.ibm.com/press/us/en/pressrelease/25828.wss
for details. Other manufacturers implemented similar approaches,
where some kind of trusted device is attached to the machine and also
the banking card of the customer is used to verify transactions.
Regards,
Thorsten
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
