* Posts by XiaoMai

2 posts • joined 20 Jun 2012

Biz chucks millions at anti-malware, but ignores shoulder surfers

XiaoMai

Good News Is No News?

I know it's more exciting to read about major online banking thefts, and irate Halifax ATM clients, but it would be even nicer to no read about it again.

There's not a lot anyone can do to protect confidential data visible on the screen, but it is possible to make user authentication proof against spy cameras, keyloggers and other nasties. Traditional stuff, like PI numbers, passwords and user ID's just don't work, these days. Look at the ATM and online banking fraud figures for Europe and the U.S.

Two U.S banks and one i Hong Kong are currently implementing a solution called 'SeelPlatez', which is unhackable, uncrackable (and cheap...)

Picture this scene:

•Your ATM card is stolen, on the back of which you have written your PIN number.

•Together with this, they stole the piece of paper, on which you wrote your online banking User ID and password.

•To make things worse, a spy camera watched your last access.

•A keylogger also recorded each keystroke

•So did a network snooper

Python wraps its coils around the enterprise

XiaoMai

Python? MySQL? PHP? Security?

Tou have to be kidding, haven't you? If you spent as much time looking at the apache logs of compromised websites, as I have, you wouldn't advocate such an irresponsible approach.

80% of all attacks on websites are via PHP or MySQL. Almost all XSS and SQL injection attacks are through one or other of the above mnetioned 'languages'. Any company with serious data to protect wouldn't dream of using them to build an application - however 'cool' or convenient it might be for the programmer. The truth of the matter is, that the number of so-called 'web programmers' couldn't write a decent compiled language to save their lives.

Yes, that's the solution, if you're at all interested in securing your site: write all of your backend code in something that produces machine code - which doesn't try to interpret fake commands, injected by a malicious hacker. Pro*C may not be as easy to write as these kiddy languages, but it has never been the point of entry of something nasty.

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER

Biting the hand that feeds IT © 1998–2020