Re: [fw-wiz] Transitive Trust: 40 million credit cards hack'd
From: Kevin (kkadow_at_gmail.com)
Date: 06/21/05
- Previous message: Eugene Kuznetsov: "RE: [fw-wiz] Transitive Trust: 40 million credit cards hack'd"
- In reply to: Paul D. Robertson: "RE: [fw-wiz] Transitive Trust: 40 million credit cards hack'd"
- Next in thread: Brian Loe: "RE: [fw-wiz] Transitive Trust: 40 million credit cards hack'd"
- Reply: Brian Loe: "RE: [fw-wiz] Transitive Trust: 40 million credit cards hack'd"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "Paul D. Robertson" <paul@compuwar.net> Date: Mon, 20 Jun 2005 18:35:09 -0500
On 6/20/05, Paul D. Robertson <paul@compuwar.net> wrote:
On Mon, 20 Jun 2005, Behm, Jeffrey L. wrote:
> > True, Marcus, but not everyone _does_ use 2 factor auth. So, at this
> > point, it can be effective. You don't gotta outrun the bear, just
> > the guy next to you.
>
> That assumes (1) a single bear OR (2) that you can outrun the bear in the
> time it takes it to disable the other target.
>
> Autonomous malcode changes that equation, as does semi-random targeting.
OTOH, attacking tokens and other OTP schemes requires a whole different
toolkit (a "better bear"), while the current crop of keyloggers and phishing is
working fine as "store and forward" attacks where they can assume the
credentials they log will be valid for quite some time.
> Now, personally, I'm all for making most of the current crop of attacker
> tools outdated, not because I think it'll make us safe, but because it'll
> force attackers to keep up, and I'd rather they not be provided the
> option of being lazy if we all have to work too.
So long as there are plenty of easy targets which do NOT require a better
bear, the attackers will tend to go after the easy targets, and not bother to
write tools which can be effective against tokens and OTP and other
hardened targets.
The American black bear is capable of eating porcupines, but so long as
the supply of nuts and berries is plentiful, the bears leave them alone.
> But more importantly, two factor authentication starts to provide a
> really good base for accountability- and THAT is what we *need*.
Shhh!
Accountability may be the only real advantage that 2-factor has over
old-fashioned reusable passwords, but if the users get wind that the
real reason they are being issued tokens isn't to protect *them* but
rather to protect *us*, we will have a revolt on our hands :)
Take for example the SecurID tokens issued by E*Trade and AOL.
Does anybody really believe that E*Trade is giving their customers
"free" tokens to help protect the user from hackers, rather than to protect
E*Trade from users who say "I didn't make that losing trade, my account
must have been hacked, refund my losses!"?
It's all about audit trails and non-repudiation, if there is any advantage
to personal privacy, that's just an unintended side-effect.
Kevin Kadow
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Eugene Kuznetsov: "RE: [fw-wiz] Transitive Trust: 40 million credit cards hack'd"
- In reply to: Paul D. Robertson: "RE: [fw-wiz] Transitive Trust: 40 million credit cards hack'd"
- Next in thread: Brian Loe: "RE: [fw-wiz] Transitive Trust: 40 million credit cards hack'd"
- Reply: Brian Loe: "RE: [fw-wiz] Transitive Trust: 40 million credit cards hack'd"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
