[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Pimping DNSSEC (was Re: DNSSEC - Signature Only vs the MX/A issue.)

To: Joe Abley <jabley@ca.afilias.info>
Subject: Re: Pimping DNSSEC (was Re: DNSSEC - Signature Only vs the MX/A issue.)
From: Danny Mayer <mayer@gis.net>
Date: Mon, 11 Dec 2006 19:15:00 -0500
Cc: "Hallam-Baker, Phillip" <pbaker@verisign.com>, Alex Bligh <alex@alex.org.uk>, shane_kerr@isc.org, Ralph Droms <rdroms@cisco.com>, namedroppers@ops.ietf.org
Delivery-date: Tue, 12 Dec 2006 00:20:20 +0000
Envelope-to: namedroppers-data@psg.com
Reply-to: mayer@gis.net
User-agent: Thunderbird 1.5.0.8 (Windows/20061025)

Joe Abley wrote:
> 
> On 5-Dec-2006, at 23:16, Hallam-Baker, Phillip wrote:
> 
>>
>>> From: Danny Mayer [mailto:mayer@gis.net]
>>
>>> I suspect that we will see demand for DNSSEC the first time
>>> that a bank sees a poisoning attack and their customers get
>>> redirected to a fake site and their accounts drained as a
>>> result. Phishing attacks can be alleviated since you can tell
>>> technologically that the site is not what it claims. Their
>>> customers will demand it, the bank will be afraid not to do
>>> it, the insurance companies make it a condition of coverage
>>> of losses, etc. Then of course the military have a need for
>>> it. Of course that still leaves the issue of validating
>>> resolvers being not being widely deployed (okay, so only a
>>> handful of people have deployed them).
>>
>> This attack is happening but not quite in this way.
> 
> The banks around here have fixed that problem by buying insurance which
> will reimburse both the bank and the customer from fraudulent
> transactions which occur using the bank's web banking app.
> 
> In the case that the customer notices a fraudulent transaction, the bank
> reimburses them, the insurance company reimburses them, and everybody is
> happy.
> 

Actually, it doesn't take long before the insurance companies start to
push the banks to do something to secure their networks. If a customer
notices then they spread the word and it becomes a public relations
nightmare for the banks if they don't do something. It's not just about
who pays for the problem.

> In the case that the customer doesn't notice a fraudulent transaction,
> nobody does anything and everybody is still happy.
> 
> DNSSEC will need to be as reliable as this, and noticably cheaper than
> the insurance, before I would expect these banks to start caring about it.
> 

Cheaper is not the only incentive, bad publicity is a much larger one.
Customers will move their money somewhere safer if they perceive a problem.

Danny

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

Prev by Date: Re: 2929bis RRTYPE Allocation for the ENUM Branch Location Record
Next by Date: Re: DNSSEC - Signature Only vs the MX/A issue.
Previous by thread: Re: Pimping DNSSEC (was Re: DNSSEC - Signature Only vs the MX/A issue.)
Next by thread: Re: Pimping DNSSEC (was Re: DNSSEC - Signature Only vs the MX/A issue.)
Index(es):
- Date
- Thread