Invalid banking cert spooks only one user in 300
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Wed May 18 06:24:18 EDT 2005
Invalid banking cert spooks only one user in 300
Stephen Bell, Computerworld
16/05/2005 09:19:10
Up to 300 New Zealand BankDirect customers were presented with a security
alert when they visited the bank's website earlier this month - and all but
one dismissed the warning and carried on with their banking.
The rest of the story is at
http://www.pcworld.idg.com.au/index.php/id;1998944536;fp;2;fpid;1 or
http://www.computerworld.co.nz/news.nsf/0/FCC8B6B48B24CDF2CC2570020018FF73?OpenDocument&pub=Computerworld
(PC World Australia or ComputerWorld NZ). To provide a little more background
information, BankDirect is an online-only offshoot of another bank (ASB)
that's targeted at computer-savvy users who don't need (or want) the expense
of a standard bricks-and-mortar account. There are no branches, and payment
is done electronically at the point of sale (EFTPOS) and managed via the
Internet or a cellphone, thus the (apparently) low number of accesses - you'd
generally rarely need to access it over the net.
So in other words the number of computer-savvy users who were stopped by an
invalid server cert at a banking site was essentially zero. To quote the
article again:
Peter Benson, chief executive of Auckland-based Security-Assessment.com,
says he is "not at all surprised" at the statistics. "In my experience, the
single weakest point in the chain of [computer] security is the space
between the keyboard and the floor."
A lot more education of users in responding appropriately to security alerts
is needed, he says.
Looks like we have a long way to go in making effective security usable. Note
that if the same site had used TLS-PSK
(http://www.ietf.org/internet-drafts/draft-ietf-tls-psk-08.txt) instead of
straight passwords over TLS, and had this been malicious spoofing instead of
just an accident, none of this would have been possible (TLS-PSK provides
mutual authentication of both parties before any sensitive information is
exchanged, so even if the user ignores the warning, they won't be able to
communicate with a spoofed site).
Peter.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list