WebApp Sec: RE: Proposal to anti-phishing

["Harper.Matthew" <Matthew.Harper () SunTrust com>]

Problem is, you can't really charge for "extra" security.  What are you
saying to the customers who don't buy it...your account isn't as secure
as those that do?

Matthew Harper 

-----Original Message-----
From: Moksha Faced [mailto:mokshafaced () yahoo com] 
Sent: Tuesday, January 25, 2005 2:00 PM
To: webappsec () securityfocus com
Subject: Re: Proposal to anti-phishing

Wouldn't it be interesting if a bank would propose a holistic solution
to phishing by:
-placing all of their login widgets (and as many banks who shall remain
nameless still use SSN and PIN for the default user authentication
credentials... personal and confidential information) within an
SSL-enforced container on their site, -providing a usb cert key (media
choice due to near-universal support and acceptance) or smart card for
client auth/non-repudiation, -anti-virus, email spam filter, personal pc
firewall, -malware/trojan checker (specifically for browers), and
finally -a User Guide with a BIG SECTION on information security and
Internet threats (to address our common observations about lacking
consumer education).

What if they didn't even force these on their customers, but offered it
as a 'value-added' or "Premium Online Banking" service for a small fee?

I for one would buy it and I'm sure others would too.  Believe it or
not, one of the big online banking sites had just such a proposal
already drawn up and ready for delivery but it was shot down by
Marketing, Mgmt and other non-technical wingnuts (they'd rather just
reimburse customers for any fraud encountered).  I wonder if some other
forward-thinking eCommerce leader out there has the political clout and
cleverness to propose such a solution.  If so please let me know because
I will change my bank to yours immediately.

Best regards,
-mf
Rogan Dawes wrote:

> > > > And then there are other issues, like which smartcard + pki + 
> > > > message format must be supported by the PC, OS, and user's 
> > > > software.  And do all these factors interoperate smoothly with all 
> > > > the other software a banking customer may have.
> > > > Finally, there is the need to re-authenicate ever customer in order
> > > > to issue a new identifier in the form of the card.
> > >
> > > So long as the smartcard supports PKCS#11, there should be no 
> > > problem interacting with it.
> > >
> > > The PKI software chosen by the bank should be irrelevant, as it 
> > > still produces certificates in the standard X.509 formats.
> >
> >
> > The selected CA, cert issuing process, extensions and or cert 
> > constrainst fields, CA policy statement and the fields/structure in 
> > the messages generally give all the PKCS 11 and X.509 a strong 
> > flavour of 'proprietary'
> > implmentations.
>
> PKCS#11 is not subject to proprietary flavours, to the best of my 
> knowledge. This means that a customer that has a card reader that 
> supports PKCS#11 can interact with standards supporting browsers such 
> as IE and Firefox to access the certificates stored on their smart
cards.
> Sure X.509 has a number of optional fields that may or may not be used
> by a particular implementation of PKI. But please see below for an 
> explanation of why this doesn't matter.
>
> > Worse, many CA approachs will provide an assertion about a person
(lyal
> > collins) not theat person's accounts, or conversely, with accounts.  
> > In the
> > former case, I have to register my cert with each account I have with
> > each
> > (so the banks can update their account profiles with my cert details)
> > while
> > the latter case means a new cert for each account I have. 
> > If this isn't a case of inplementing new 1:1 security relationships 
> > just to
> > replaice existing solutions with new technology, without saving
costs, I
> > don't know what is.
>
> There are a couple of ways of approaching this: Either have different 
> smart-cards per bank, and the bank manages their own cards/certs 
> entirely, or let the user have a smart card, and the bank only manages
> a private/public key pair on the smart card.
>
> Either way, the bank is still in control of the issuing process. Note 
> that I have never suggested that you should have only a single private
> key and certificate, that all banks use to identify you. Absolutely, 
> each bank will want to control the certificates that they recognise, 
> and allow to access their systems.
>
> The main thing that I think you missed here is that you CAN store 
> multiple key pairs on a single smart card. But I think that more 
> likely, and more feasible from a management perspective, is that banks
> will issue their own smart card. That way, if you lose a single card, 
> you do not lose all your identities at once.
>
> In another email sent to this list, I proposed that banks make use of 
> the smart card facilities available on many credit and debit cards 
> already in the field, by allowing customers to use those to 
> authenticate to their internet banking services. Maybe you should read
> that email for a better understanding of how I am thinking . . .
>
> > > Message format can be specified by the online application, as it 
> > > does not have to interact with anyone else, other than that single 
> > > online application.
> >
> > This = proprietary solutuion., What about my other financial/bank
> > relationships?
>
> Why should they have to interact with each other via the Internet? 
> They already have existing relationships set up via SWIFT, etc . . .
>
> If each bank has their own certificate, they are at complete liberty 
> to use them as they choose . . .
>
> > > > Technically, a good idea.  Practically, and commercially, 
> > >
> > > very hard and
> > >
> > > > expensive to do.  Requiring every on-line banking customer 
> > >
> > > to buy a new
> > >
> > > > computer in order to use on-line banking is probably worse 
> > >
> > > than giving
> > >
> > > > customers a new computer, something that does happen for high worth
> > > > individuals in a few rare cases.
> > >
> > > I'm not suggesting for a second that people will HAVE to buy a new 
> > > computer. You can buy a smart-card reader for les than USD30. No 
> > > need for a new computer, if you already have one.
> >
> >
> > Smartcard readers are like sterilising bullets - the benefit (germ 
> > free) is
> > far outweighed by other effects (the bullet kills you).
>
> I call bull on this. A number of banks already offer customers the 
> option of using smart cards. I fail to see how adding a smart card 
> reader to an existing PC has negative side effects?
>
> Old PC's can use serial or parallel readers, more recent PC's can use 
> USB readers. Still NEWER machines can use integrated card readers. 
> Where's the downside?
>
> > > My point was that IF manufacturers start shipping computers with a 
> > > smart-card reader already part of the PC, and with drivers already 
> > > installed as part of the OS installation, then we start approaching 
> > > the "zero-setup" that was originally posited as the "Holy Grail".
> >
> > We can but hope - one day, Oh one day
>
> Indeed. That's what this discussion is about. Trying to get (just a 
> little) closer to that day . . .
>
> > Lyal
>
> Rogan 
************************************************ 
The information transmitted is intended solely 
for the individual or entity to which it is  
addressed and may contain confidential and/or 
privileged material. Any review, retransmission, 
dissemination or other use of or taking action 
in reliance upon this information by persons or 
entities other than the intended recipient is 
prohibited. If you have received this email in 
error please contact the sender and delete the 
material from any computer. [ST:A234] 
************************************************