John Levine <jo...@iecc.com> writes: >I told him about an approach to use a security dongle that puts the display >and confirmation outside the range of the malware, and although I thought it >was fairly obvious, he'd apparently never heard it before.
Some general thoughts on this, there have been attempts going back at least ten years to bring devices like this to market (for example I have a nice device that does exactly this built in the late 90s sitting in a drawer somewhere), but they always die for the same reason, lack of interest and, for the few who are interested, lack of interest in paying the cost. >I've made it an entry in my blog at > >http://weblog.johnlevine.com/Money/securetrans.html > >[...] > >I don't understand why banks aren't using this approach already. Because (apart from the reasons given above) with business use specifically you run into insurmountable PC <-> device communications problems. Many companies who handle large financial transactions are also ones who, due to concern over legal liability, block all access to USB ports to prevent external data from finding its way onto their corporate networks (they are really, *really* concerned about this). If you wanted this to work, you'd need to build a device with a small CMOS video sensor to read data from the browser via QR codes and return little more than a 4-6 digit code that the user can type in (a MAC of the transaction details or something). It's feasible, but not quite what you were thinking of. Peter. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com