From the L0pht Archives:

Weld Pond and Cult of the Dead Cow to be Featured on Dateline NBC

The lack of client side security for internet transactions poses a huge
security risk that online banks and others just seem to ignore. Tools such
as BO2K and even simpler keystroke loggers can cut through the
authentication used for "secure" web transactions to allow an attacker to
authenticate as the hapless consumer.

Dateline explores this problem on Sunday October 3rd at 7pm EST. Watch
Cult of the Dead Cow demonstrate the attack and Weld Pond from the
L0pht talk about whatis really going on.

It is shocking how little has fundementally changed in the way consumers perform high value banking transactions over the web. Looking back with 10 years hindsight I have a slightly different way of describing the situation. Banks assume the network is compromised so they use end to end encryption. Banks don't assume the endpoint is compromised so there is no security protection. In 2009 what is more likely, that your upstream is compromised or the endpoint is compromised? I would say for the average internet user the endpoint is more likely to be compromised.

Has the endpoint water slowly come to a boil and we are happy frogs slowly getting cooked?

Veracode Security Solutions

Security Alternatives

Security Threat Guides

Written by:

About Chris Wysopal

Chris Wysopal, co-founder and CTO of Veracode, is recognized as an expert and a well-known speaker in the information security field. He has given keynotes at computer security events and has testified on Capitol Hill on the subjects of government computer security and how vulnerabilities are discovered in software. His opinions on Internet security are highly sought after and most major print and media outlets have featured stories on Mr. Wysopal and his work. At Veracode, Mr. Wysopal is responsible for the security analysis capabilities of Veracode technology.

Comments (2)

Rob Fuller (mubix) | October 2, 2009 12:44 pm

What I think is even more amazing is that the attack performed in that video is STILL how compromise happens to this day, a simple email. It's just moved from attachments to links.

Matthew Hackling | October 2, 2009 5:58 pm


I'd politely disagree, things have progressed in the world of internet banking security in ten years.

I believe some european banks issue OTPs for performing transactions which is quite secure but does not provide protection against simple phishing attacks, which would ask the user for their username, password and next TAN.

A few of my customers here in Australia are using two factor authentication with hard tokens to authenticate to internet banking or authenticate the transfer of funds to 3rd parties for consumer internet banking. Swiss banks have been using two factor for many many years. Two factor authentication is even required by government in Singapore I believe.

Some are even using SMS to a mobile phone as out of channel confirmation of a 3rd party transfer. Other institutions globally are even starting to check the security of the endpoint and determine what transactions can be processed on that endpoint from that check.

The even smarter ones delay 3rd party transactions and have sophisticated monitoring in place to identify suspicious transactions, resulting in no increased complexity for the customer, yet managing their losses (as banks have to wear the losses and reimburse customers for fraud)

Have you seen solutions similar to that are starting to enable signing of transactions from a two factor device? Rather than authenticating access to the banking website, or authenticating executing the 3rd party transfer transaction, they are authenticating the content of the transaction.

By signing the transaction from a secure offline device (i.e. providing a hash of source account reference destination account number and value to funds to transfer to with the seed in the token) if there is a phishing attack, man in the middle, credentials compromised etc. you will have a very strong security control.

This may even provide enough security for you to use an insecure communications channel to perform a banking transaction (e.g. twitter).

The challenge is making a device and transaction signing method that is easy to use by the consumer that is cost effective.

Please Post Your Comments & Reviews

Your email address will not be published. Required fields are marked *

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.