Popsie wrote: If you are concerned about security, it is best to start with the weakest link first.
Panda Security recently estimated that 50% of all PCs are already compromised. There are so many flaws in the way that Windows is designed and built that there is a constant race between the hackers and Microsoft. New vulnerabilities are exposed and new fixes are put in place, but two things happen - there is always a gap in time between the new hack and the corrective patch which usually takes weeks or months. Even if you do security updates several times a day, your computer can be vulnerable on any random day, and there is nothing you can do to prevent it.
Of course the weakest link is the user. People are always clicking on bad links, failing to update their security, answering bogus emails, etc.
So, the best we can do is be religious about updating Windows and our security programs (everyone should be running several all the time), and avoiding stupid behaviors.
The saving grace is that the banks tend to eat the losses from computer fraud - which we pay for in the end spread across every customer hidden in bank fees to merchants which are reflected in the prices we pay.
christopherglenn wrote: The problem with wifi is "man in the middle". I can put a wifi access point, and a proxy server (with VERY special software). You connect ot my wifi, and go to yourbank.com, My server connects to your bank (this is what proxy servers normally do), and makes a second website, just for you, with all the information that yourbank.com sends to my server. - complete with login fields. You have a ssl (encrypted) connection to my server, I have a ssl connection to yourbank.com. All the data that goes from you to your bank passes through my server, and it is not encrypted while I pass it from one ssl to the other. From your end it looks fine, from your banks it looks fine. I have clear text of your password, username, account number, balance, etc. I can log back into your bank as soon as you log off and transfer money from account to account, and (if you bank allows it from the internet) wire money offshore.
Please enlighten us with this software that can decrypt an SSL conversation at wire speed. If you have this, you can write your own ticket at pretty much any security firm in the world.
Also a proxy server used to proxy the connection a bad guy uses in order to hide his true location/IP. SOCKSchain is common tool used to bounce across many servers and hide.
Doing what you're describing is a lot harder than what is discussed on a blackhat forum or IRC channel amongst a group of 12 yr old wannabees.
Instead of worrying about your CC info, worry about clicking that link in that email from your buddy or installing that game on Facebook (or using FB at all) You're much more at risk doing those activities than paying a bill online.
Me and my 3 girls
2013 Cougar 293SAB
2011 F350 CC SWB 6.7
Generally, your MITM attack has a problem in that you won't be able to authenticate yourself as the bank. You may intercept the bank's public key, but if you send that to me, you won't be able to decrypt messages because you don't have the bank's private key. If instead you swap your public key for the bank's, then I will receive a warning that the digital certificate is not valid.
Tom
Yup. Happens to me at work all the time. Even for less secure or unsecure sites. Facebook even has issues because of the certificate mismatch.
Popsie wrote: If you are concerned about security, it is best to start with the weakest link first.
Panda Security recently estimated that 50% of all PCs are already compromised. There are so many flaws in the way that Windows is designed and built that there is a constant race between the hackers and Microsoft. New vulnerabilities are exposed and new fixes are put in place, but two things happen - there is always a gap in time between the new hack and the corrective patch which usually takes weeks or months. Even if you do security updates several times a day, your computer can be vulnerable on any random day, and there is nothing you can do to prevent it.
Of course the weakest link is the user. People are always clicking on bad links, failing to update their security, answering bogus emails, etc.
So, the best we can do is be religious about updating Windows and our security programs (everyone should be running several all the time), and avoiding stupid behaviors.
The saving grace is that the banks tend to eat the losses from computer fraud - which we pay for in the end spread across every customer hidden in bank fees to merchants which are reflected in the prices we pay.
You forgot the "April Fool" punchline.
Those who wish this weren't true might be the ones being fooled.
Offline
