From the L0pht Archives:

Weld Pond and Cult of the Dead Cow to be Featured on Dateline NBC

9.30.1999 The lack of client side security for internet transactions poses a huge security risk that online banks and others just seem to ignore. Tools such as BO2K and even simpler keystroke loggers can cut through the authentication used for "secure" web transactions to allow an attacker to authenticate as the hapless consumer. Dateline explores this problem on Sunday October 3rd at 7pm EST. Watch Cult of the Dead Cow demonstrate the attack and Weld Pond from the L0pht talk about whatis really going on.

It is shocking how little has fundementally changed in the way consumers perform high value banking transactions over the web. Looking back with 10 years hindsight I have a slightly different way of describing the situation. Banks assume the network is compromised so they use end to end encryption. Banks don't assume the endpoint is compromised so there is no security protection. In 2009 what is more likely, that your upstream is compromised or the endpoint is compromised? I would say for the average internet user the endpoint is more likely to be compromised. Has the endpoint water slowly come to a boil and we are happy frogs slowly getting cooked?

Veracode Security Solutions
Security Alternatives
Security Threat Guides

Written by:

Chris Wysopal, co-founder and CTO of Veracode, is recognized as an expert and a well-known speaker in the information security field. He has given keynotes at computer security events and has testified on Capitol Hill on the subjects of government computer security and how vulnerabilities are discovered in software. His opinions on Internet security are highly sought after and most major print and media outlets have featured stories on Mr. Wysopal and his work. At Veracode, Mr. Wysopal is responsible for the security analysis capabilities of Veracode technology.

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.