« The more popular, the more vulnerable | Main | Instead of making people do something, make them want to do it »

The independent channel

If you like it here, please consider subscribing to the RSS feed or spreading the news among your friends who also care about security.

Usually it's pretty hard to appropriately protect a communication channel which uses couple of layers of really complicated software. Say we run an internet banking site through an ssl-ed http server. The client needs to have 1) a web browser of which there's couple quite popular ones and each of them once in a while turns out to be vulnerable to some kind of an attack, 2) an ssl library of which, again, there's couple of implementations and they already proved not being entirely bug free (not to mention the algorithm itself from time to time revealing its weaknesses) and finally 3) all this has to make use of an operating system of some kind and the most popular OSes tend to resemble a good Swiss cheese in terms of security.

There's of course a good deal of reason for all this to still be insecure. One of which being the amount of code which is not easy to be managed. And so on, and so on. But actually it doesn't matter what the reason is, the important thing is that we are not secure enough and we won't be in any near future (no, I don't think Vista is going to surprise us here — actually, judging from what it already shown, it's going to be even worse than it already is). So, instead of relying entirely on the one potentially unsafe channel it's better to use a totally independent additional channel to check and confirm the sanity of the primary one. Think SMS.

It's not totally impossible to take over the additional channel also, but it's difficult and expensive enough to render the whole thing totally not worth an effort. Of course it still relies on user awareness, but at least now there's something one can be pretty sure to be an accurate piece of information.

So, before typing out a money transfer confirmation code from an SMS received from your bank, please check if the account number in the SMS really matches the one you wanted your money to be sent to. You'll make scammers' lives harder and your money will be a wee bit more safe.

Posted by Michał Sobiegraj on November 12, 2006 4:41 PM | | Digg It

TrackBack

TrackBack URL for this entry:
http://sobiegraj.com/blog/mt-tb.cgi/26

Listed below are links to weblogs that reference The independent channel:

» Dealing with XSRF-like vulnerabilities once again from Michal Sobieraj | Security Consultant and Evangelist
As a supplement to my recent post on XSRF and to kind of give a complete picture — if there is a lot of money on stake, or if we are paranoid (which is not so good, but not too... [Read More]

Tracked on August 7, 2007 3:00 PM

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)

© 2006-2007 Michał Sobiegraj. All rights reserved. The views expressed here are my own, and not necessarily endorsed by any former or current employer.

Search


About

This page contains a single entry from the blog posted on November 12, 2006 4:41 PM.

The previous post in this blog was The more popular, the more vulnerable.

The next post in this blog is Instead of making people do something, make them want to do it.

Many more can be found on the main index page or by looking through the archives.

Subscribe to this blog's feed
[What is this?]
Powered by
Movable Type 3.34