Putting some thoughts together inspired by things I've read recently.
1. Phishing and more directly hacking local computers is only going to get easier and worse (witness unicode DNS and be afraid).
2. Businesses (financial institutions in particular) are going be increasingly asked to do something about it, either by customer demand or legal action.
So what's a bank to do to protect it's customer? Some European banks have gone with scratch off cards that provide one-time passwords. I thought that was pretty good, but it doesn't solve much if the attack is done right. Attacker steals password, returns error message to user to try again in 24 hours. Attacker uses stolen credentials to log in and steal.
SecurID fobs? Also no real good; attacker steals number and password, and has an average of 30 seconds to log in with that number. If they fail, they can even just ask the user again to keep supplying numbers, returning bogus "try again" errors until they successfully log in.
So what on earth does that leave? Challenge-response tokens? If the attacker acts as an intermediary, again they can snoop the challenge, get the response back, and send it on feeding a fake error message to the user.
None of this bodes very well. It's pretty much impossible to secure a comm. channel when one end of it is fully compromised...ironically enough, we'd need something like Microsoft's Pallidium, with hardware support to support a secure channel for entering passwords. But this is probably too complex to get right.
Assuming that the attackers don't get too fancy in the short term, a stopgap is to give browsers much better SSL interfaces. "You are about to securely visit www.wellsfargo.com; when you last visited the site it was owned by "Wells Fargo Inc." (The CN of the cert). That has changed, and it now claims to be owned by "Some guy". Do you wish to continue? Click here to see the differences between the old certificate and the new certificate."
Of course, assuming evilhackers have complete control over the client system, not very long until they just disable that functionality, or patch the browser to not display various versions of it.
We need much, much, much better client security for average folks. I don't even know where to start. Maybe we should just take all these websites down, call it a good fun several years, and go back to banking in person, at a branch...:-)
This is Rob Meyer's weblog, a weblog focused on software development and system administration based on 10 years of experience. Want to explore further? You can find out more me or see the rest of my website.
Wondering if I've written on something in particular? Try searching:
You might want to take a look at some of the more requested postings (as judged by incoming traffic):
Want more? Subscribe to this site 
or contact me at rob at big dis dot com.
See my writings on: