-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [snip] > That is the point "Int3" was reiterating. If the problem Citi's OSK is > supposed to fix is actually that the bad guys already have, or can more > or less easily get, arbitrary code onto the client machine, then > changing the way the client user interacts with the machine does not > solve the problem -- it simply changes the form of data capture the bad > guys' arbitrary code has to perform. I think it's worth considering credit cards for a minute. There is credit card fraud. It costs big financial institutions lots of money every year. Those institutions spend lots of money on preventing credit card fraud. The cost of fraud and the money spent on fraud prevention, in sum, approximate a minimum cost for the financial institutions (at least, that's their goal :) Yes, more fraud could be prevented, but at a higher aggregate cost (note that part of the cost might be lost revenue due to customer flight from onerous anti-fraud measures). Financial institutions put a lot of work into finding that minimum. There will always be online banking fraud, or at least we will have online banking fraud until customers' computers, the bank's computers, and the networks in between can be fully trusted (which is approximately never unless we change computing and communications paradigms). It is my guess that the solutions deployed by the banks will try to achieve the aggregate minimum cost for online banking fraud in the same way that they try to achieve aggregate minimum cost for credit card fraud. The reason I say this is not to discuss the particular issues with Citi's OSK. I say this to point out that the people holding out for a "perfect" solution that prevents 100% of online banking fraud are being unrealistic. If Citi's OSK reduces real-world fraud by a significant margin, it's a big win for Citi and their customers, even if it has flaws. --eli - -- Eli Dart Office: (510) 486-5629 ESnet Network Engineering Group Fax: (510) 486-6712 Lawrence Berkeley National Laboratory PGP Key fingerprint = C970 F8D3 CFDD 8FFF 5486 343A 2D31 4478 5F82 B2B3 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (FreeBSD) iD8DBQFGQ1V/LTFEeF+CsrMRAp9FAKCMDZ4v4B4NntqY8a2f04uHb4MGtQCgiASy +JIdYo0idRqOo+MKHm3E7tA= =z6JK -----END PGP SIGNATURE-----
