Hi, On Thu, Dec 11, 2008 at 03:45:26PM +0200, Viktor Larionov wrote: > By baking trojans, I meant trojans injecting additional payment information > into your bank transfers - e.g. you make 5 payments, but the trojan makes > also the sixth one, still browser with the help of a trojan displays you > only 5 of them. That wouldn't work, since the additional transaction would require a one-time password as well. Replacing a transaction works if you have control over the browser, but many banks have reacted already and offer to send the password via SMS along with a copy of the transaction data so you have a second channel. During the next year, I expect a trojan that infects phones and looks for messages with account data and passwords, then forwards them over the internet (hooray for always-on UMTS) so they can be matched to hijacked browsers. What I'd like to see in the next two years (but I'm not holding my breath) would be a (standardized?) "security module" in mobile phones that is independent from the rest of the system and can take over display and keypad, indicated via a dedicated LED; this way, the message containing the password could be encrypted without a trojan ever having a chance to access it. > Still there are very successfull strategies used by banks to fight this - > mostly based on social analysis of your behavement, but that's another > story. Yes, I was without access to my bank account for a whole week because it doesn't fit my usual behaviour pattern to rent a room in a shady district of Madrid. :-/ Simon
Attachment:
signature.asc
Description: Digital signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/