Strict Standards: Declaration of UserSettings::get() should be compatible with AbstractSettings::get($col_key1, $col_key2 = NULL, $col_key3 = NULL) in /home/id212/public_html/blog/inc/MODEL/users/_usersettings.class.php on line 202

Strict Standards: Declaration of UserSettings::set() should be compatible with AbstractSettings::set() in /home/id212/public_html/blog/inc/MODEL/users/_usersettings.class.php on line 202

Warning: Creating default object from empty value in /home/id212/public_html/blog/inc/MODEL/settings/_abstractsettings.class.php on line 221

Warning: Creating default object from empty value in /home/id212/public_html/blog/inc/MODEL/settings/_abstractsettings.class.php on line 221

Warning: Creating default object from empty value in /home/id212/public_html/blog/inc/MODEL/settings/_abstractsettings.class.php on line 221

Warning: Creating default object from empty value in /home/id212/public_html/blog/inc/MODEL/settings/_abstractsettings.class.php on line 221

Warning: Creating default object from empty value in /home/id212/public_html/blog/inc/MODEL/settings/_abstractsettings.class.php on line 221

Warning: Creating default object from empty value in /home/id212/public_html/blog/inc/MODEL/settings/_abstractsettings.class.php on line 221

Warning: Creating default object from empty value in /home/id212/public_html/blog/inc/MODEL/settings/_abstractsettings.class.php on line 221

Warning: Creating default object from empty value in /home/id212/public_html/blog/inc/MODEL/settings/_abstractsettings.class.php on line 221

Warning: Creating default object from empty value in /home/id212/public_html/blog/inc/MODEL/settings/_abstractsettings.class.php on line 221

Warning: Creating default object from empty value in /home/id212/public_html/blog/inc/MODEL/settings/_abstractsettings.class.php on line 221

Warning: Creating default object from empty value in /home/id212/public_html/blog/inc/MODEL/settings/_abstractsettings.class.php on line 221

Warning: Creating default object from empty value in /home/id212/public_html/blog/inc/MODEL/settings/_abstractsettings.class.php on line 221

Warning: Creating default object from empty value in /home/id212/public_html/blog/inc/MODEL/settings/_abstractsettings.class.php on line 221

Warning: Creating default object from empty value in /home/id212/public_html/blog/inc/MODEL/settings/_abstractsettings.class.php on line 221

Warning: Creating default object from empty value in /home/id212/public_html/blog/inc/MODEL/settings/_abstractsettings.class.php on line 221

Warning: Creating default object from empty value in /home/id212/public_html/blog/inc/MODEL/settings/_abstractsettings.class.php on line 221

Warning: Creating default object from empty value in /home/id212/public_html/blog/inc/MODEL/settings/_abstractsettings.class.php on line 221

Warning: Creating default object from empty value in /home/id212/public_html/blog/inc/MODEL/settings/_abstractsettings.class.php on line 221

Warning: Creating default object from empty value in /home/id212/public_html/blog/inc/MODEL/settings/_abstractsettings.class.php on line 221

Warning: Creating default object from empty value in /home/id212/public_html/blog/inc/MODEL/settings/_abstractsettings.class.php on line 221

Warning: Creating default object from empty value in /home/id212/public_html/blog/inc/MODEL/settings/_abstractsettings.class.php on line 221

Warning: Creating default object from empty value in /home/id212/public_html/blog/inc/MODEL/settings/_abstractsettings.class.php on line 221

Warning: Creating default object from empty value in /home/id212/public_html/blog/inc/MODEL/settings/_abstractsettings.class.php on line 221

Warning: Creating default object from empty value in /home/id212/public_html/blog/inc/MODEL/settings/_abstractsettings.class.php on line 221

Warning: Creating default object from empty value in /home/id212/public_html/blog/inc/MODEL/settings/_abstractsettings.class.php on line 221

Warning: Creating default object from empty value in /home/id212/public_html/blog/inc/MODEL/settings/_abstractsettings.class.php on line 221

Warning: Creating default object from empty value in /home/id212/public_html/blog/inc/MODEL/settings/_abstractsettings.class.php on line 221

Warning: Creating default object from empty value in /home/id212/public_html/blog/inc/MODEL/settings/_abstractsettings.class.php on line 221

Warning: Creating default object from empty value in /home/id212/public_html/blog/inc/MODEL/settings/_abstractsettings.class.php on line 221

Warning: Creating default object from empty value in /home/id212/public_html/blog/inc/MODEL/settings/_abstractsettings.class.php on line 221

Warning: Creating default object from empty value in /home/id212/public_html/blog/inc/MODEL/settings/_abstractsettings.class.php on line 221

Warning: Creating default object from empty value in /home/id212/public_html/blog/inc/MODEL/settings/_abstractsettings.class.php on line 221

Warning: Creating default object from empty value in /home/id212/public_html/blog/inc/MODEL/settings/_abstractsettings.class.php on line 221

Warning: Creating default object from empty value in /home/id212/public_html/blog/inc/MODEL/settings/_abstractsettings.class.php on line 221

Warning: Creating default object from empty value in /home/id212/public_html/blog/inc/MODEL/settings/_abstractsettings.class.php on line 221

Warning: Cannot modify header information - headers already sent by (output started at /home/id212/public_html/blog/inc/MODEL/users/_usersettings.class.php:202) in /home/id212/public_html/blog/inc/MODEL/sessions/_session.class.php on line 222

Strict Standards: Declaration of Blog::set() should be compatible with DataObject::set($parname, $parvalue, $make_null = false) in /home/id212/public_html/blog/inc/MODEL/collections/_blog.class.php on line 1034

Strict Standards: Declaration of BlogCache::option_list() should be compatible with DataObjectCache::option_list($default = 0, $allow_none = false, $method = 'name') in /home/id212/public_html/blog/inc/MODEL/collections/_blogcache.class.php on line 272

Strict Standards: Declaration of Group::set() should be compatible with DataObject::set($parname, $parvalue, $make_null = false) in /home/id212/public_html/blog/inc/MODEL/users/_group.class.php on line 420

Strict Standards: Declaration of User::dbdelete() should be compatible with DataObject::dbdelete() in /home/id212/public_html/blog/inc/MODEL/users/_user.class.php on line 1145

Strict Standards: Declaration of User::set() should be compatible with DataObject::set($parname, $parvalue, $make_null = false) in /home/id212/public_html/blog/inc/MODEL/users/_user.class.php on line 1145

Strict Standards: Declaration of ResultSel::display_list_start() should be compatible with Results::display_list_start($detect_no_results = true) in /home/id212/public_html/blog/inc/_misc/_resultsel.class.php on line 48

Strict Standards: Declaration of ResultSel::display_list_end() should be compatible with Results::display_list_end($detect_no_results = true) in /home/id212/public_html/blog/inc/_misc/_resultsel.class.php on line 48

Strict Standards: Declaration of Filetype::set() should be compatible with DataObject::set($parname, $parvalue, $make_null = false) in /home/id212/public_html/blog/inc/MODEL/files/_filetype.class.php on line 197

Strict Standards: Declaration of UserCache::option_list() should be compatible with DataObjectCache::option_list($default = 0, $allow_none = false, $method = 'name') in /home/id212/public_html/blog/inc/MODEL/users/_usercache.class.php on line 288

Strict Standards: Declaration of Comment::set() should be compatible with DataObject::set($parname, $parvalue, $make_null = false) in /home/id212/public_html/blog/inc/MODEL/comments/_comment.class.php on line 1164

Notice: Array to string conversion in /home/id212/public_html/blog/inc/_misc/_misc.funcs.php on line 1253

Strict Standards: Declaration of ItemList2::query() should be compatible with Results::query($create_default_cols_if_needed = true, $append_limit = true, $append_order_by = true) in /home/id212/public_html/blog/inc/MODEL/items/_itemlist2.class.php on line 48

Notice: Array to string conversion in /home/id212/public_html/blog/inc/_misc/_misc.funcs.php on line 1253

Notice: Array to string conversion in /home/id212/public_html/blog/inc/_misc/_misc.funcs.php on line 1317

Warning: Cannot modify header information - headers already sent by (output started at /home/id212/public_html/blog/inc/MODEL/users/_usersettings.class.php:202) in /home/id212/public_html/blog/inc/MODEL/skins/_skin.funcs.php on line 71
Security x.0 - Archives for: July 2008

Archives for: July 2008

14/07/08

Permalink 01:07:13 am, by Igor Drokov, in Security thoughts, Online payments, Internet banking  

Can you imagine an ATM running Windows XP Home Edition and being connected to the Internet or a Point of Sale terminal running Tetris? – Unlikely! Why then is allowing a customer to use any computer on the Internet to connect to the banking system, and transfer much more money than you can take out of a cash machine, a good idea? Why did arguably the most conservative organisations in the world – the banks – agree to lower their defenses so low that they practically invited the criminals in?

The answer is simple – the same reasons why even risk-averse investors were chasing after every Internet company in the late 90s – the attractiveness of the global scale and reduced costs of e-channels.

Over the years, payments and savings have always been a subject of the most advanced protection:

  • Banknotes have watermarks and other security features to resist counterfeiting
  • Cheques require the account holder's signature
  • ATMs require both your card and your PIN, run secure software, and are physically tamper-resistant
  • Point of Sale terminals in your favourite supermarket are protected from tampering and use dedicated secure connections to the payment processing network

These are all very sensible measures that work (to one degree or another) to protect customers' and banks' money.

Today, however, there is a huge imbalance between the value of electronically accessible funds and their security. This is being very effectively exploited by criminals and the banks are looking for a solution. Personal computers are not tamper proof sales terminals, therefore it is unfeasible to rely on the customer to keep them 100% secure. No one can take away online banking but banks can deploy new security measures, and solving this problem requires a new innovative approach that can equally address security, ease of use, and cost.

At Cronto, we identified this imbalance years ago. We also correctly predicted that the only solution to address this problem is transaction authentication (where the customer confirms each banking instruction). We then developed an innovative visual transaction signing solution. Based on our unique Visual Cryptogram, the Cronto solution supports multiple end user options allowing the bank to choose what is right for their customers whilst maintaining consistency in their backend systems.

07/07/08

One of the frequently proposed ideas for reducing bank fraud is to train customers to identify and ignore phishing emails. The problem with this approach is that the criminals sending such emails quickly adapt to circumvent the advice given to customers, as can be seen in this quiz.

Even worse is that the emails sent by banks often resemble phishing attempts, and sometimes directly violate the advice given to customers. With this “do as I say, not as I do” approach, it is no surprise that customers regularly fall for the scams. In fact, sometimes a legitimate email look so fake that the bank's own security staff think it's a phish.

And it's not just banks which are slipping up. I received an email from Paypal, asking users to “click here and enter your password” despite the warning on the same page: “PayPal will never ask you to enter your password in an email”. What can customers be reasonably expected to do, given this type of training? I simply closed my account.

Email is a valuable sales channel for banks, and marketing teams evidently have not being willing to sacrifice it, despite the (justified) concerns of the security departments. This fact, coupled with the weak authentication schemes currently deployed, makes life for fraudsters easy. Paypal have tried one alternative approach – a two-factor token – but these are still vulnerable to attack. Strong security solutions, accepted both by customers and marketing, are needed to mitigate the large damages from fraud we see today.

About

Securing personal financial transactions online and all that comes with it: trojans and man-in-the-browser, e-banking and e-commerce, usability and scalability. By Igor Drokov, Elena Punskaya et al. at Cronto - the inventor of Visual Transaction Signing.

Search


Strict Standards: Declaration of ArchiveList::count_total_rows() should be compatible with Results::count_total_rows($sql_count = NULL) in /home/id212/public_html/blog/plugins/_archives.plugin.php on line 544