[cryptography] PKI "fixes" that don't fix PKI (part III)

Peter Gutmann pgut001 at cs.auckland.ac.nz
Sun Sep 11 13:23:43 EDT 2011

Andy Steingruebl <andy at steingruebl.com> writes:
>On Sat, Sep 10, 2011 at 4:46 PM, John Levine <johnl at iecc.com> wrote:
>> But Steve, generic malware runs on your PC or in your browser. =A0If
>> they wanted to steal card numbers, they'd steal card numbers today,
>> from the browser or by key logging, before the numbers got TLS-ed.
>> Since they don't do it now, I don't see any reason to think they'd do
>> it if it were easier to steal them other places.
>Do you have any data to support your assertion that malware isn't stealing
>credit card numbers from individual PCs?

I realise you're kinda baiting him here :-), but for those who aren't familiar
with this (is there anyone who isn't?), man-in-the-browser (MITB) attacks
steal massive amounts of data every day.  The MITB has custom rulesets
tailored for individual financial institutions (several thousand in some
cases) that bypass any protection mechanisms the banks (or whatever) may have
in place.  This is why European banks have been transitioning to, or in some
countries have transitioned to, external auth devices that can't be
compromised by PC trojans.  In the case of smartphones the response has been
to push the trojans out to the phone as well, but for specialised tokens the
best attacks to date have been a few semantic attacks.


More information about the cryptography mailing list