This is perhaps the second product concept myopia right after the lie detection software for text comminations I come across to recently. Remember a previous post heading in the opposite direction, where a bank was trying to rebuild confidence in the most abused phishing medium - the email - to keep in touch with its customers? Here's another company that's betting on a third-party client application to solve the problem of secure E-banking totally falling victim in the secure channel communication myopia one that I think has nothing to do with reality when it comes to the success of phishing :
"Here’s how Armored Online works: A company, such as a financial institution or online retailer, offers a downloadable client to customers through its website. That client then gives the customer’s computer a secure channel with which to communicate and transact with the company. Its Java-based browser is locked down, meaning it won’t accept any plug-ins, like cookies used by criminals. What’s more, the client can only “talk” to the server at the bank or online store. “It’s like iTunes for banks,” Mr. Sowerby said."
The attack of the disabled cookies? Not really, so be realistic. Coming up with a third-party application as the cornerstone of E-banking security directly conflicts with E-banking's biggest benefit - flexibility due to the compatibility with the most popular browsers. So you'd rather focus on the current situation - Brandjacking instead of re-inventing the SSL wheel -- as a matter of fact the Gozi trojan and the Nuclear Grabber are quite comfortable with SSL as they bypass it entirely. Even worse, a trojanized copy of the program will emerge given it receives any acceptance at all. And if banks start embracing it -- don't -- we can easily start talking about DRM enabled E-banking where, both, banks and customers will turn into virtual hostages to a third-party application trying to reboot the market for anti-phishing services, totally forgetting the problem is not in the lack of unencrypted transactions as no one is sniffing the credentials, but pushing fake sites instead of letting customers pull the sites for themselves.
Don't disrupt in irrelevance.
No comments:
Post a Comment