[19139] in cryptography@c2.net mail archive
AW: [Clips] Banks Seek Better Online-Security Tools
daemon@ATHENA.MIT.EDU (Kuehn, Ulrich)
Wed Dec 7 10:17:14 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
From: "Kuehn, Ulrich" <Ulrich.Kuehn@telekom.de>
To: nbohm@ernest.net, fw@deneb.enyo.de
Cc: cryptography@metzdowd.com
Date: Wed, 7 Dec 2005 14:23:15 +0100
> -----Urspr=FCngliche Nachricht-----
> Von: Nicholas Bohm [mailto:nbohm@ernest.net]=20
> Gesendet: Dienstag, 6. Dezember 2005 12:03
> An: Florian Weimer
> Cc: cryptography@metzdowd.com
> Betreff: Re: [Clips] Banks Seek Better Online-Security Tools
>=20
> Florian Weimer wrote:
> > * Nicholas Bohm:
[...]
>=20
> I hope, not too confidently, that before the attackers adjust=20
> enough, banks will start giving their customers FINREAD type=20
> secure-signature-creation devices of decent provenance whose=20
> security does not rely on non-compromise of my PC or network.
>=20
In 2000 someone here in Germany already demonstrated how to attack =
smart card based HBCI transactions. Those transactions are authorized =
by an RSA signature done by the card.=20
The attack demonstration used a trojan (I think it was something like =
back orifice) to remote control the victim's PC with the attached smart =
card reader, so that the PIN entered on the PC key board(!) could be =
sniffed and subsequently the PC including reader and smart card be used =
as a sort of remote signature generation device, authorizing any =
transaction of the attacker's choice. So under some circumstances even =
signature-based authorization does not work as advertised.
The attack relyed on the card reader not having a separate keyboard for =
PIN entry. Interestingly, I wonder what would happen if a reader with =
display and keyboard is used in an online attack, i.e. the adversary =
sneaks in a fraudulent transaction when the hash for the signature is =
computed. I do not know from the top of my head what is supposed to be =
displayed in the reader's display, so I do not know what impact such an =
attempt would have.=20
Any suggestions?
Ulrich
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
