Invalid banking cert spooks only one user in 300 Stephen Bell, Computerworld 16/05/2005 09:19:10
Up to 300 New Zealand BankDirect customers were presented with a security alert when they visited the bank's website earlier this month - and all but one dismissed the warning and carried on with their banking. The rest of the story is at http://www.pcworld.idg.com.au/index.php/id;1998944536;fp;2;fpid;1 or http://www.computerworld.co.nz/news.nsf/0/FCC8B6B48B24CDF2CC2570020018FF73?OpenDocument&pub=Computerworld (PC World Australia or ComputerWorld NZ). To provide a little more background information, BankDirect is an online-only offshoot of another bank (ASB) that's targeted at computer-savvy users who don't need (or want) the expense of a standard bricks-and-mortar account. There are no branches, and payment is done electronically at the point of sale (EFTPOS) and managed via the Internet or a cellphone, thus the (apparently) low number of accesses - you'd generally rarely need to access it over the net. So in other words the number of computer-savvy users who were stopped by an invalid server cert at a banking site was essentially zero. To quote the article again: Peter Benson, chief executive of Auckland-based Security-Assessment.com, says he is "not at all surprised" at the statistics. "In my experience, the single weakest point in the chain of [computer] security is the space between the keyboard and the floor." A lot more education of users in responding appropriately to security alerts is needed, he says. Looks like we have a long way to go in making effective security usable. Note that if the same site had used TLS-PSK (http://www.ietf.org/internet-drafts/draft-ietf-tls-psk-08.txt) instead of straight passwords over TLS, and had this been malicious spoofing instead of just an accident, none of this would have been possible (TLS-PSK provides mutual authentication of both parties before any sensitive information is exchanged, so even if the user ignores the warning, they won't be able to communicate with a spoofed site). Peter. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
