North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: User negligence?

  • From: Barney Wolff
  • Date: Sun Jul 27 03:01:40 2003

On Sun, Jul 27, 2003 at 12:37:54AM -0400, Sean Donelan wrote:
> Unfortunately there are a lot, and growing number, of self-infected PCs
> on the net.  As the banks point out, this is not a breach of the bank's
> security. Nor is it a breach of the ISP's security.  The user infects
> his PC with a trojan and then the criminal uses the PC to transfer money
> from the user's account, with the user's own password.

The bank hands out ATM cards, but does not offer the customer the option
of logging in with SafeWord or SecureId or any other OTP.  Given how
much the bank saves in labor, it could surely afford the card expense.
But it's easy to see why they don't, since it's the customer, not the
bank, that is taking the risk.

A sufficiently fancy trojan would notice when the user logged into the
bank using OTP and change the destination of a money transfer or add
an invisible transaction, but that's certainly quite a lot harder than
a simple keystroke logger.

Barney Wolff
I'm available by contract or FT, in the NYC metro area or via the 'Net.