Re: More shooter harassment
- From: PeterN <peter.new@xxxxxxxxxxxxxxxxxx>
- Date: Mon, 01 Aug 2011 20:20:15 -0400
On 8/1/2011 3:11 AM, Martin Brown wrote:
On 30/07/2011 19:06, PeterN wrote:On 7/30/2011 1:39 PM, nospam wrote:In article<4e340c9d$0$12466$8f2e0ebb@xxxxxxxxxxxxxxxxxxxxxxx>, PeterN
<peter.new@xxxxxxxxxxxxxxxxxx> wrote:
none of the banking apps automatically log you in.
a password is *required* every single time, even if you quit and
relaunch the app moments later. in many cases, the user id is not
saved
either, so you'd have to guess that one too. some apps have an option
to save the user id (not the password!) but the truly paranoid can
disable that.
Somehow, I don't find your assurances, assuring.
Specifically which banking apps have you tested?
No! I withdraw that question, it is unfair to ask. How many banking
apps
are there and how many have you tested?
how many banking apps have *you* used?
name *one* single banking app that stores *both* the username *and* the
password, so that one tap is all it takes to log in without any user
interaction other than simply launching it.
just one.
You neatly avoided my question by side stepping. Banking access on PCs,
including Macs all offer access code storage. It has become a big
headache for the banks. (My source is the chief of security at a major
bank. He is frustrated since the sales department insists the apps be
easy to use. Ease of use <> security.
Although there are issues with ease of use vs security your chief of
security mate is singularly ill informed. He should talk to some of his
technical people once in a while if he can ever get out of meetings.
All of the banking applications I have ever used block the browser save
password facility and by default do *not* save the userid (although they
do have a box to tick if you want the userid saved and warn you never to
do that on a public PC at an internet cafe). They also include some form
of unconventional input method that defeats keyloggers using either a
preshared key or a cryptographic device supplied by the bank.
They even require the input of a password again to do any kind of money
transfer to make sure that if someone leaves a PC logged into their bank
account in a public place it is not trivial to empty the account.
hint: there aren't any. no bank is that stupid. no user is that stupid
to use an app that would leave them exposed that way.
even on a traditional computer, banking sites periodically ask security
questions or request to call/email/text to the info on record to
confirm a login. why in the world would they make a phone any
different? they wouldn't.
you have *no* idea what you're talking about.
See above. Assuming your information is a reliable as your "survey"
conclusions, it can be reliably disregarded.
So can your claims. Every bank I have ever encountered has respectable
internet security measures and in Belgium for ecash as well.
Online Credit card transactions using Verified by Visa are a total mess
and prone to a man-in-the-middle attack but that is a separate issue
entirely. The weaknesses of that particular scheme have been highlighted
in various academic papers (by the same group that broke the encryption
system on chip & PIN). They exist only to allow the banks to disown
legitimate claims for compensation by consumers!
in other words, should someone manage to steal a phone and launch the
app is still not going to be able to log into to the bank.
See above.
right, see above. you're wrong.
as for intercepting the data, everything is encrypted using ssl
(https)
so even if you could intercept the rf signal, you still won't get far.
Even military encryption schemes have been cracked.
so what? the possibility that someone will intercept the packets at
*exactly* the right time that a banking transaction happens to be
taking place *and* crack the encryption is *so* low that it's not worth
worrying about at all.
not only that, but you'd have to crack the encryption to even know a
banking transaction was occurring in the first place, as opposed to
more mundane traffic like facebook, which means that all that effort to
crack the encryption could be wasted and all you'd get is someone's
party pictures.
Just crack the encryption and wait. Can you show they don't change the
encryption codes for banking transaction.
The banking applications I am most familiar with cover their tracks from
keyboard through to the bank and would require an adversary to not only
crack the digital transmission security but also the much stronger bank
pre-shared key hard encryption on the secure data stream.
I don't doubt that GCHQ or NSA could do it if they wanted to, but it is
out of the league of anything that cyber criminals are going to do. It
is just so much easier to use social engineering to get gullible people
to give away their banking userid and password voluntarily.
Banking in the UK and most parts of the EU is quite different. My hoe PC would save my access codes automatically, if I gave permission. As to my friend, I assure you he spends little time in meetings. As I said to others, I am not advocating anything. Just stating my personal level of comfort. You obviously have a different level. Having said that I would rather take unnecessary precautions and go through a minor inconvenience, than opt for convenience and make a mistake.
--
Peter
.
- References:
- Re: More shooter harassment
- From: Martin Brown
- Re: More shooter harassment
- Prev by Date: Re: Need cheep way to mount & display prints
- Next by Date: Re: Repairing digital cameras for fun
- Previous by thread: Re: More shooter harassment
- Next by thread: Re: More shooter harassment
- Index(es):
Relevant Pages
|
