AW: [Clips] Banks Seek Better Online-Security Tools

[Kuehn, Ulrich]

> -----Ursprüngliche Nachricht-----
> Von: Nicholas Bohm [mailto:nbohm at ernest.net] 
> Gesendet: Dienstag, 6. Dezember 2005 12:03
> An: Florian Weimer
> Cc: cryptography at metzdowd.com
> Betreff: Re: [Clips] Banks Seek Better Online-Security Tools
> 
> Florian Weimer wrote:
> > * Nicholas Bohm:
[...]
> 
> I hope, not too confidently, that before the attackers adjust 
> enough, banks will start giving their customers FINREAD type 
> secure-signature-creation devices of decent provenance whose 
> security does not rely on non-compromise of my PC or network.
> 
In 2000 someone here in Germany already demonstrated how to attack smart card based HBCI transactions. Those transactions are authorized by an RSA signature done by the card. 

The attack demonstration used a trojan (I think it was something like back orifice) to remote control the victim's PC with the attached smart card reader, so that the PIN entered on the PC key board(!) could be sniffed and subsequently the PC including reader and smart card be used as a sort of remote signature generation device, authorizing any transaction of the attacker's choice. So under some circumstances even signature-based authorization does not work as advertised.

The attack relyed on the card reader not having a separate keyboard for PIN entry. Interestingly, I wonder what would happen if a reader with display and keyboard is used in an online attack, i.e. the adversary sneaks in a fraudulent transaction when the hash for the signature is computed. I do not know from the top of my head what is supposed to be displayed in the reader's display, so I do not know what impact such an attempt would have. 

Any suggestions?

Ulrich

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com