[WEB SECURITY] SSL does not = a secure website

Andrew van der Stock vanderaj at greebo.net
Tue Mar 28 21:14:26 EST 2006


If you look carefully about how it's implemented, it cannot help if a  
Trojan is onboard gathering the requisite login information, such as  
a BHO, DOM snooping, or a simple HTTPS proxy. If you enter "xyz123",  
the value submitted to the website is the same every time. This  
virtual keyboard implementation is not robust against anything but  
keylogging trojans. Therefore it's security theatre. As a Westpac  
customer, I find this frustrating as I have to use this "feature" in  
public places frequently, and I'm more concerned about shoulder  
surfing in those places.

An example Trojan which is close to breaking the new virtual keyboard:
http://www.symantec.com/avcenter/venc/data/pwsteal.bancos.q.html

These virtual keyboards violate accessibility requirements (which are  
required to be accessible by law here), and do not fix the primary  
issue - phishing.

There's little value in getting into any particular user's Internet  
Banking session. The value to the phisher is to conduct transactions,  
particularly to move funds out of the country. The only way to reduce  
the risk of that today is transaction signing. There are many  
different ways of doing this. As a Westpac customer, I'd prefer it  
they didn't spend good money on useless toys, but on real ways to  
reduce fraud and risk to me.

Andrew

On 29/03/2006, at 10:41 AM, Mark Mcdonald wrote:

> Westpac Bank in Australia has recently put an on-screen keyboard up.
> Check it out here:
>
> https://online.westpac.com.au/esis/Login/SrvPage
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2234 bytes
Desc: not available
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20060329/fcba455e/attachment.p7s>


More information about the websecurity mailing list