Home
Privacy Forum Home
08/20/08 04:12
Privacy RSS Feeds 		Full Disclosure

'E-Commerce in Crisis: When SSL Isn't Safe'

* Privacy * Security * Surveillance * Blog * 4790

"If you have nothing to hide, why do you have curtains?" -Will Dwyer III
Post your related message now.

• Ebooks and Programs: InvestigationsSpy SoftwareAnti-Spyware

Login or Register
Interact
If you have any questions or comments, please post a new message or a follow up.
Related Resources
Privacy ebooks

Top Searches: • how safe is ssl • phishing crisis • phising ecommerce • connection of e commerce to banks • crisis on e commerce • ssl crisis • phishing ecommerce • ssl is it safe • ssl attacks newest •
- Phishing
E-Commerce in Crisis: When SSL Isn't Safe

Joe (152.163.36.128) -

"The problem is," according to one bank regulatory security auditor, "SSL isn't broken. SSL states that the connection between your PC's network card and the bank's network card isn't compromised. This is still true. Nobody is sniffing the transaction off the wire. Instead, this is a 'man-in-the-end-point' attack." In other words, the Trojan is sniffing or manipulating the transaction before it is ever sent across the Internet to the bank.

According to Mitchell Ashley, CTO of network security provider StillSecure, "Traditional phishing attacks have duped end-users into clicking on a link, but in the newest evolution, even the most security-savvy can fall victim to attack. Once you're infected, the game is up."

Read the full article...

Comment #1 Mark (196.40.43.79) -

I think that is an excellent article. However, I have a few critiques.

The author goes into long convoluted discussions about the various risks to banks by special phishing programs.

Before one gets into those specifics a brief look at the big picture would be appropriate. Then one may conclude there is a major problem in general that must be addressed (and if properly addressed the issues described in that article become irrelevent).

The first step is to look at what "SSL" is. It is simply a protocol to secure the transmission of data BETWEEN your computer and the BANKS computer.

It does nothing to: 1) verify who you are, 2) secure data on your computer or the banks computer. It is only designed to stop someone from "listening" in on the CONNECTION. This of course is a very important aspect of security, but it is one small piece.

What that means is that ANY PROGRAM that might be installed on YOUR COMPUTER that might monitor data ON YOUR COMPUTER (such as keystoke logging) will not in any way be limited by the SSL protocol.

When you press a key on your computer that is not part of the connection between YOUR COMPUTER and the BANKS. It is simply an activity on your computer that programs on your computer can monitor.

Therefore any and all programs on your computer have the potential to retieve data that one might think is protected by the SSL connection.

The real question is how one can suitable secure their own computers?

Comment #2 Milly from Wisconsin -

I don't thing there really is a secure way. Computers are programmed by people and there are always ways to find leaks. That is why I do not bank online. Just too many security risks.
You are not logged in. It is recommeded that you post messages and comments with a Privacy profile. You can login or register. You will be protected from spam and have more features. Registration is quick and easy. You can also post as a casual user with the form below. Your IP address will be published with your email address (if provided below).

Submit a follow up to this message.

Please submit a new reply here. HTML is not allowed and you are encouraged to seperate your paragraphs with a double blank line for readablity. More fun in the sun. Please make sure your message is interesting and relevant to Phishing, and this message: If you wish to start a new message click here. Privacy

E-Commerce in Crisis: When SSL Isn't Safe; Phishing

Everything you enter will be published. 

Name:           
E-Mail:         

Optional (please add to our directory first)
Web Link:       
Link Title:     

Message:
Submit Reply. Please do not submit the same message more than once.


For the full benefit of Privacy website please register and login. You can upload your photos and interact with other users better.

Login with Email: Password:
Not a member? Register: Register for Privacy

Note: once you register your email address with Privacy it is used across our whole network of forums and blogs. You can create seperate profiles for each forum or blog, but use the same login.

fdboard.topic
Find or sell your dream home

* www * com *

Full Disclosure first published on paper in 1984. Full Disclosure Live broadcast on World Wide Shortwave. Now fulldisclosure.org is your voice. Have you added a link to us from your website? (4790):

  • <a href="http://board.fulldisclosure.org">Privacy</a>
  • <a href="http://board.fulldisclosure.org/Phishing">E-Commerce in Crisis: When SSL Isn't Safe; Phishing</a>
E-Commerce in Crisis: When SSL Isn't Safe; Phishing

Website copyright (c) 2006-2008 GLR Sales LLC.


(upzewqzuyzpr)

Privacy Policy
Phishing 'E-Commerce in Crisis: When SSL Isn't Safe'