From: cwright@bdosyd.com.au
Date: Thu May 31 2007 - 05:27:38 EDT
So basically, it is not your problem.
Westpac (a Bank) in Australia code the obscuration for their mouse clicks using Java script in the logon page. The fact that the captured java could be used in a Trojan was reported and they responded by restricting the access to the page source. Of course with WebScarab an attacker can still get this, likewise it does nothing to stop an attacker making a Trojan to exploit it. Same problem, perception fixed, security the same.
I still bank with them. If my account is compromised, they have to bear the loss. I do not care how much they lose; they can go bankrupt for all I care. If they do, the government has guaranteed my money. So as far as your example, you do nothing. They understand loss. If they lose too much – they react. Simple.
The cost of using 2 factor for the general population is too great and the general public are adverse to it.
Regards,
Craig
>>In reply to <<
What about a situation when I find a serious mistakes in logic concept of the page(authorization process)? I find some in 2 EU financial institution.One of them was my own bank. It was reported and fixed.If I didn't reacted I might be a victim of their mistake.There was no scanning or exploiting- only a scenario which obligate them to react. What about this situation?
Peter Brzyski
WCI
University of Szczecin
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic
See HOW Now with our 20/20 program!
http://www.cenzic.com/c/2020
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:50 EDT