The simplistic Linux/Unix answer for every threat.

“Rewrite billions of lines of code to run on their favorite subset of the Linux/Unix multiverse”.

Of course we would then see the bad guys flock to assault the open systems where the source code is equally available to them too.

Like or Dislike: 2  0

But this is to easy!

Like or Dislike: 1  3

While the businesses might be more attractive targets because of the large amounts of money in their accounts, theft from small depositors is more likely to go undetected for longer periods of time. And of course, once the trojan is on the victim’s computer, information about his banking habits is available to the thieves. It’s still a good deal for them. If an attack is coordinated, a single money mule could be used to receive transfers from multiple victims. These thieves don’t hesitate to go after small transactions; they’ve used money mules for years to move consumer electronic products purchased with stolen credit cards out of the country. (Ordering DVD players and then sending a truck to the mule’s home to pick it up is a much more involved process than a bank transfer, and the items being shipped have less value than what the average person has in his bank account on the day after payday.)

Mr. Drozdowski comes right out and says that that until the losses are in the billions, no one is going to get serious about this. And losses in the billions are exactly what we will get if that’s the threshold for the feds to get involved.

Like or Dislike: 1  0

Security wise while a dynamic key version would be an improvement by completely removing the statistical analysis attack problem, however currently the simple printed method this isnt a problem with 10000+ interception rates a user wont do that many authentications in anywhere near the lifetime of their printed key. As with any added complexity to a system the complexity opens up new hi tech attack problems which need to be seriously considered. Overall the theoretical online security will be improved and some new features added but the practical online security wont change much.

Second is the cost not just of the devices themselves which would need specialized chips and hardware but also issues like security of the manufacturing chain and delivery costs which is a major issue many people forget or dismiss. Lets say for example the ZTIC devices were given free by the government to every bank for every user, the bank still needs to deliver millions of packages to everyone. Take a standard package delivery cost and multiply it by x million and that is a big headache right there. The existing printed passwindow solution can be mailed by envelope (such as a monthly balance statement) anywhere and manufactured behind the desk of any office so I need to match that level of delivery cost in any future device which means on card electronics which I am watching closely. To be honest the technology just isnt quite there yet with the flexible cheap screens thin enough to go into a credit card, there are some companies with the technology to do it but the reliability isnt acceptable just yet.

Thirdly is the usability factor which has to be considered, as much as I like the theory of the ZTIC device and other electronic transaction signing tokens its true they are a royal pain to carry around, too big for a wallet and yet small enough to lose easily. The reality is most token devices (including my own) end up being left unattended around the office desk and an attacker only needs a few seconds access and an SMS of the code to his friend in x country and its game over. The most secure place on a person is the universal wallet where people keep their cash money so any solution really needs to be able to work with this existing infrastructure.

The electronic version will happen but I cant say exactly when.

Like or Dislike: 2  2

One popular device, the iPhone has one advantage in that it can only process one transaction at a time. I understand this is hard wired into its hardware, so this could prevent any attempts to interfere with passwindow on a out of band device method; which I like even better. However, the iPhone is not THAT ubiquitous yet, so I digress.

I never lose my credit card, so passwindow is a very good fix for now, in my not so humble opinion. I would think even more sophistication could be added with nano-circuitry, that would be powered by the same cheap solar cells used in calculators and wrist watches. Perhaps this could future proof the concept?

Chip and PIN has already been defeated by several attack methods by crackers, some of them involving a simple paper clip. Having an expensive system like that defeated so quickly with all the expense that went into it, is why US banks are so timid to try that kind of technology. I can’t say I blame them.

Like or Dislike: 1  0