[WEB SECURITY] SSL does not = a secure website

Lyal Collins lyal.collins at key2it.com.au
Wed Mar 29 03:54:52 EST 2006

See http://www.dotsec.com/onBank.html for an old flaw that directly affects


-----Original Message-----
From: Andrew van der Stock [mailto:vanderaj at greebo.net] 
Sent: Wednesday, 29 March 2006 1:14 PM
To: Mark Mcdonald
Cc: James Strassburg; Sebastien Deleersnyder; Web Security;
webappsec at securityfocus.com
Subject: Re: [WEB SECURITY] SSL does not = a secure website

If you look carefully about how it's implemented, it cannot help if a  
Trojan is onboard gathering the requisite login information, such as  
a BHO, DOM snooping, or a simple HTTPS proxy. If you enter "xyz123",  
the value submitted to the website is the same every time. This  
virtual keyboard implementation is not robust against anything but  
keylogging trojans. Therefore it's security theatre. As a Westpac  
customer, I find this frustrating as I have to use this "feature" in  
public places frequently, and I'm more concerned about shoulder  
surfing in those places.

An example Trojan which is close to breaking the new virtual keyboard:

These virtual keyboards violate accessibility requirements (which are  
required to be accessible by law here), and do not fix the primary  
issue - phishing.

There's little value in getting into any particular user's Internet  
Banking session. The value to the phisher is to conduct transactions,  
particularly to move funds out of the country. The only way to reduce  
the risk of that today is transaction signing. There are many  
different ways of doing this. As a Westpac customer, I'd prefer it  
they didn't spend good money on useless toys, but on real ways to  
reduce fraud and risk to me.


On 29/03/2006, at 10:41 AM, Mark Mcdonald wrote:

> Westpac Bank in Australia has recently put an on-screen keyboard up. 
> Check it out here:
> https://online.westpac.com.au/esis/Login/SrvPage

The Web Security Mailing List

The Web Security Mailing List Archives

More information about the websecurity mailing list