Yes, if they were smart, they would force their customers to use anything but IE
Announcement
Collapse
No announcement yet.
Chrome has problems with certain intranet displays
Collapse
This topic is closed.
X
X
-
Pan-Galactic QuordlepleenSo Long, and Thanks for All the Fish
- Jul 2011
- 9625
- Seattle, WA, USA
- Send PM
Originally posted by Snowhog View PostMy bank uses what I have found to be one of the best log in authentication tools I have seen. The keypad image is selected at the time you set it up, and so, is associated with the initial account number identification. The keypad key layout changes every time you access it (the key button placement is randomized). You have to use your mouse to click on your customized PIN using this keypad. As far as I know, this method is incredibly secure.
Originally posted by Teunis View PostSince my bank introduced them in 1993 I use a Digipass of Vasco Data Security http://vasco.com, it's easy to use and so far any breaches were due to social engineering. The principle is two-factor authentication via challenge and response.
1. Create an email with a specially-crafted URL and send it to your victim
2. When victim clicks the email, it directs the browser to evil-site.bad
3. evil-site.bad proxies the connection request to the bank -- you'll never see this
4. Your bank login appears
5. You sign in, feeling super secure because you had to do the 2FA dance
5. Your bank thinks you're signed in and starts communicating with your browser
6. But wait...everything's going through the evil-site.bad proxy, remember?
7. Now that you're logged in and have a session token, the bad guy can take over
8. Bad guy performs transactions
Fixing this is not hard: simply require the 2FA again for each transaction. Entire classes of attacks could be eliminated by moving from session authentication to transaction authentication. And it really isn't necessary for banks to invest in hardware tokens for this. Simply have each customer register his/her mobile phone, and send a challenge via SMS to the phone. Require the user to enter a response during the transaction.
- Top
- Bottom
Comment
Comment