Posts by David Emmett

What's the point?

The point is to make people FEEL safer. To give Joe and Janet Public the idea that Something Is Being Done. The fact that they are about as much use as a Microsoft marketing bod at a computer security convention is neither here nor there. Their primary purpose is to soothe the tempers of the Daily Mail-reading masses, rather than prevent crime.

Ironic, really.

As Jared Diamond points out in is excellent book "Guns, Germs And Steel," the main force driving genetic selection among white people was resistance to disease, as people in the Fertile Crescent discovered farming and started living in close quarters with animals.

On the other hand, the main trait required by hunter-gatherer societies (such as many of those found in Africa) was observation, analysis and memory (i.e. the key parts of intelligence), as these are the skills which will help you find food in and survive the dangers of the ever-changing landscape of the hunter-gatherer existence.

Just how mobile mad are the Spanish?

"Movistar is Spain's biggest mobile operator with 22m clients. Vodafone numbers 14.6m clients, while third place Orange has 11.1m to its name."

Those are shared between 40 million Spaniards ...

Throw away the key

The sensible people of the world have attempted to strike back with their own petition:

http://www.ipetitions.com/petition/lockupparis4eva/signatures.html

Sadly, with only 17 signatures, it seems that the sensible people of the world are vastly outnumbered ...

Social, Not Software Engineering

Although this man-in-the-middle attack succeeded in obtaining some funds, it wasn't all that successful. Only a very small number of customers were stupid enough to click on the e-mail attachment (which claimed to be an "SSL 3 Update"), and most customers were unaffected.

This is not the first time that Dutch banking customers have been affected: The Postbank uses TAN lists, generated password lists, and thieves have been known to break into letterboxes in blocks of flats to steal these lists and use them to access the accounts.

The fact is that two-factor authentication is much safer than just the passwords used by most UK and US banks. Simple password authentication allows any old keylogger to record your details and give an attacker access to your bank, and keyloggers can be installed from anywhere. Two-factor authentication requires much more sophisticated attacks, and is much harder work for attackers to implement. It's not impossible, but it increases the skill levels needed. It can also only be done while the customer is accessing their bank account, unlike password attacks, which allow unfettered access once passwords have been revealed. In addition, this man-in-the-middle attack required active user intervention to install the trojan, relying on the stupidity^H^H^H^H^H^H^H^H^H naivety of users to install the software on their computers.

Two-factor authentication is not perfect, it's just several thousand times better than what UK bank customers are being provided.