[WEB SECURITY] SSL does not = a secure website
Andrew van der Stock
vanderaj at greebo.net
Tue Mar 28 21:14:26 EST 2006
If you look carefully about how it's implemented, it cannot help if a
Trojan is onboard gathering the requisite login information, such as
a BHO, DOM snooping, or a simple HTTPS proxy. If you enter "xyz123",
the value submitted to the website is the same every time. This
virtual keyboard implementation is not robust against anything but
keylogging trojans. Therefore it's security theatre. As a Westpac
customer, I find this frustrating as I have to use this "feature" in
public places frequently, and I'm more concerned about shoulder
surfing in those places.
An example Trojan which is close to breaking the new virtual keyboard:
These virtual keyboards violate accessibility requirements (which are
required to be accessible by law here), and do not fix the primary
issue - phishing.
There's little value in getting into any particular user's Internet
Banking session. The value to the phisher is to conduct transactions,
particularly to move funds out of the country. The only way to reduce
the risk of that today is transaction signing. There are many
different ways of doing this. As a Westpac customer, I'd prefer it
they didn't spend good money on useless toys, but on real ways to
reduce fraud and risk to me.
On 29/03/2006, at 10:41 AM, Mark Mcdonald wrote:
> Westpac Bank in Australia has recently put an on-screen keyboard up.
> Check it out here:
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 2234 bytes
Desc: not available
More information about the websecurity