On Sun, Jul 27, 2003 at 12:37:54AM -0400, Sean Donelan wrote:
Unfortunately there are a lot, and growing number, of self-infected PCs on the net. As the banks point out, this is not a breach of the bank's security. Nor is it a breach of the ISP's security. The user infects his PC with a trojan and then the criminal uses the PC to transfer money from the user's account, with the user's own password.
The bank hands out ATM cards, but does not offer the customer the option of logging in with SafeWord or SecureId or any other OTP. Given how much the bank saves in labor, it could surely afford the card expense. But it's easy to see why they don't, since it's the customer, not the bank, that is taking the risk. A sufficiently fancy trojan would notice when the user logged into the bank using OTP and change the destination of a money transfer or add an invisible transaction, but that's certainly quite a lot harder than a simple keystroke logger. -- Barney Wolff http://www.databus.com/bwresume.pdf I'm available by contract or FT, in the NYC metro area or via the 'Net.