RSA tokens and in fact all OTP token devices are regularly defeated by most of the new trojans who simple MITB Man-In-The-Browser their way past them. Lookup Zeus for further info. The solution is transaction authentication which OTP devices cannot do.
You are right the merchants are getting hit probably just as hard as the banks with credit card fraud, I was thinking more of trojans like Zeus etc which are stealing users banking logins and then filtering money out of peoples accounts to their mules. This liability would or should fall squarely on the banks. The reality is we are probably all getting hit indirectly by this problem and it only seems to grow.
Laziness can never be solved, agreed.
Dont be scarcastic, didnt you know its the lowest form of wit.
This won't work. The biggest reason it won't is convenience. Say one credit card company requires such a device, and another promises that they'll be liable for any damages from fraud. Which would you go to?
You have only given one reason and its not a security one. I would go with the one which offered me the best security and convenience, you didnt consider the inconvenience caused by having your accounts looted which the liability doesnt cover.
If they both make that promise, what does the consumer gain from the device?
You do realise that shifting the liability onto the banks doesnt actually prevent the theft?. The users still pay for it one way or another and its not simply a matter of cost or inconvenience to the public but also the lack of faith in a inherently superior and more cost effective method, ie banking online instead of going to a branch.
And even this would be spectacularly vulnerable, if you can't trust the host system through which you're accessing whatever you're accessing.
Please define your vulnerability. If you are talking about the banks servers themselves being attacked I believe it is very very rare and it would be good if you could provide a reference. The vast majority of trojan cyber crime which is the issue here is performed against the users not the banks backend servers.
Call me defeatist but I believe there is no way the whitehats can out software manoeuvre the blackhats with software only solutions. The increasing complexity of modern systems ensures that the security holes will only grow not diminish. But maybe the next software "update" will solve all our problems this time?...
The only permanent solution I can see is mass deployment of airgapped two factor tokens specifically for transaction authentication not generic OTP which the trojans are bypassing. This is the only security that I can guarantee what I am authenticating by looking at a airgapped device.
I find it increasingly difficult to justify the performance loss for running anti malware software for the ever diminishing protection offered.
A cheap two factor solution like passwindow.com where the user tokens cost nothing to produce would be the best solution for mass deployment and more secure than most of the basic OTP electronic tokens which the trojans like Zeus are bypassing with MITB attacks. Anyone have any better ideas?
There would be no implementation costs as its just a printed pattern on a transparent region of the cards and the online authentication security exceeds the vast majority of electronic tokens, even being able to do transaction authentication to defeat MITM attacks.
No transaction can occur in at our bank without our signature. That means someone has to get off their dead ass and go to the bank and authorize it with proper credentials. It sucks. Someone has a job just to do this. All of the crap is generated on a computer but until that person toddles over there and signs off on it. Nothing happens.
The problem with alot of these more manual authentication systems is that while it sounds good from a security point of view it is quite possibly easier to circumvent the authentication procedure than the complexity with which the trojans are going through.
Alot of people think manual phone based authentication like the SMS authentication option is a good idea however the real authentication strength is only as strong as convincing the targets telephone company to forward all their calls to their "new" number. The real authentication is usually only as strong as knowing the targets birthday or similarly googleable information.
Slashdot Mirror
RSA tokens and in fact all OTP token devices are regularly defeated by most of the new trojans who simple MITB Man-In-The-Browser their way past them. Lookup Zeus for further info. The solution is transaction authentication which OTP devices cannot do.
You are right the merchants are getting hit probably just as hard as the banks with credit card fraud, I was thinking more of trojans like Zeus etc which are stealing users banking logins and then filtering money out of peoples accounts to their mules. This liability would or should fall squarely on the banks. The reality is we are probably all getting hit indirectly by this problem and it only seems to grow. Laziness can never be solved, agreed.
Oh. I was actually being sarcastic.
Dont be scarcastic, didnt you know its the lowest form of wit.
This won't work. The biggest reason it won't is convenience. Say one credit card company requires such a device, and another promises that they'll be liable for any damages from fraud. Which would you go to?
You have only given one reason and its not a security one. I would go with the one which offered me the best security and convenience, you didnt consider the inconvenience caused by having your accounts looted which the liability doesnt cover.
If they both make that promise, what does the consumer gain from the device?
You do realise that shifting the liability onto the banks doesnt actually prevent the theft?. The users still pay for it one way or another and its not simply a matter of cost or inconvenience to the public but also the lack of faith in a inherently superior and more cost effective method, ie banking online instead of going to a branch.
And even this would be spectacularly vulnerable, if you can't trust the host system through which you're accessing whatever you're accessing.
Please define your vulnerability. If you are talking about the banks servers themselves being attacked I believe it is very very rare and it would be good if you could provide a reference. The vast majority of trojan cyber crime which is the issue here is performed against the users not the banks backend servers.
Call me defeatist but I believe there is no way the whitehats can out software manoeuvre the blackhats with software only solutions. The increasing complexity of modern systems ensures that the security holes will only grow not diminish. But maybe the next software "update" will solve all our problems this time?... The only permanent solution I can see is mass deployment of airgapped two factor tokens specifically for transaction authentication not generic OTP which the trojans are bypassing. This is the only security that I can guarantee what I am authenticating by looking at a airgapped device. I find it increasingly difficult to justify the performance loss for running anti malware software for the ever diminishing protection offered.
A cheap two factor solution like passwindow.com where the user tokens cost nothing to produce would be the best solution for mass deployment and more secure than most of the basic OTP electronic tokens which the trojans like Zeus are bypassing with MITB attacks. Anyone have any better ideas?
There would be no implementation costs as its just a printed pattern on a transparent region of the cards and the online authentication security exceeds the vast majority of electronic tokens, even being able to do transaction authentication to defeat MITM attacks.
No transaction can occur in at our bank without our signature. That means someone has to get off their dead ass and go to the bank and authorize it with proper credentials. It sucks. Someone has a job just to do this. All of the crap is generated on a computer but until that person toddles over there and signs off on it. Nothing happens.
The problem with alot of these more manual authentication systems is that while it sounds good from a security point of view it is quite possibly easier to circumvent the authentication procedure than the complexity with which the trojans are going through. Alot of people think manual phone based authentication like the SMS authentication option is a good idea however the real authentication strength is only as strong as convincing the targets telephone company to forward all their calls to their "new" number. The real authentication is usually only as strong as knowing the targets birthday or similarly googleable information.