On Tuesday 10 December 2013 11:11:44 Adam Gibson wrote: > Macao:
> >If your OS is compromised, then you're already fucked.
>
> There's a nuance here, right. In my opinion, however much I hate banks, I
> think over the last few years they have got this right. 2FA is a solution
> to the OS compromise issue, BUT it doesn't work if the second factor is on
> the same machine, or in the cloud (yes, sure a google 2FA can be basically
> effective but only because of the nightmarishtly huge power such a
> corporation can wield, and even then it's not 100%), or if it's network
> enabled.
>
> The only 2FA that really works is the completely "cold" separate device,
> not even capable of talking to any other device. That's what most banks use
> nowadays.
Still not perfect: all the banking 2FA's I know work like this:
1) Prepare transaction for signing on banks web app
2) Receive code through web app
3) Enter code in device
4) Receive code from device
5) Enter code in bank web app
Between step 1 and 2 a man in the browser could set up another transaction and
replace your code with its. You'd unknowingly be signing a different
transaction.
The problem is lack of trusted screen: The device you use to sign must show
_what_ you are signing. Preferably the full transaction info.
I had this idea of creating a dedicated 2FA device which communicates over an
air gap using QR codes (thus limiting this attack vector): You'd set up a
transaction on your computer. Computer presents QR encoded transaction. You
scan code using device. Device shows same transaction. You sign using device.
Device presents signature QR code. Computer scans signature QR code. Remote
verifies signature. I might just build it if there's interest.