[cryptography] trustwave admits issuing corporate mitm certs

The Fungi fungi at yuggoth.org
Tue Feb 28 08:34:24 EST 2012

On 2012-02-26 15:45:34 -0600 (-0600), Marsh Ray wrote:
> So if the online banking site required TLS client authentication
> with smart cards with on-chip RSA, the situation would be much
> different. A MitM who succeeded in impersonating the site to the
> user would be unable to replay or forward the user's credentials. In
> theory, the user could not be socially engineered out of his
> credentials (short of physically handing over his smart card).

"Your login was successful, but due to recent security concerns we
also require a one-time verification of your personal information.
Please now enter the following...

 * Checking Account Number
 * Bank Routing Number
 * ATM Card Number
 * Card Expiraion Date
 * CCV Number
 * Full Name
 * Billing Address
 * Social Security Number
 * Drivers License Number

Thank you for your cooperation. Please click here to log out and
back in again. [hyperlink to actual impersonated site]"

So sure, maybe not socially engineered out of his online banking
credentials, just possibly everything else the attacker might want
in lieu of access to the banking portal itself. Mutual
authentication could thwart this if implemented well in a way which
was very visible to the user, but also might not if implemented
poorly (and it's not like banks are leading the way in
well-thought-out authentication technologies, after all).

Also working against this is that it's more expensive for banks to
step up authentication past the level which government regulators
consider to no longer be grossly negligent. Beyond there it's likely
cheaper in the long run for banks to refund disputed transactions
and replace compromised accounts (or wait for victims to get
frustrated and give up/leave in disgust).
{ IRL(Jeremy_Stanley); WWW(http://fungi.yuggoth.org/); PGP(43495829);
WHOIS(STANL3-ARIN); SMTP(fungi at yuggoth.org); FINGER(fungi at yuggoth.org);
MUD(kinrui at katarsis.mudpy.org:6669); IRC(fungi at irc.yuggoth.org#ccl); }

More information about the cryptography mailing list