On Tuesday, October 1, 2013 5:54:53 PM UTC+8, Igor Bukanov wrote: > > Why is this attack not thwarted by the use of external secure keys? > > > > Currently the bank uses a password and a hardware token. Changing that > > is a long process and using JS-based RSA is considered a temporary > > measure to raise the bar for attackers. > > > > > That's what my bank has issued me. The one-time 6-digit PIN is tied to > > some transactional data (last 4 digits of tranferee account number) and > > so can't be captured and reused for a different transfer. > > > > That does not work with more sophisticated injects that just wait > > until the user perform a payment and change the payment details. > > Typically they also patch HTML that shows transaction list etc. to > > hide the fraud and change the total balance.
New 2nd-factor authentication tokens require customers to input the payment or fund transfer details (such as account no., etc.) into the token, which then internally signs it, and outputs a signature number. The customer is to enter the signature onto the web page to continue with the payment or transfer. I think this will probably defeat the sophisticated attack you mentioned. But of course, I agree that deploying token-based security mechanisms may take time in many countries; so interim security mechanisms are desirable. Regards, Xinshu _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
