tag:blogger.com,1999:blog-7122745763234660283.post8915532602178811387..comments2011-04-29T22:48:12.216-07:00Minded Securityhttp://www.blogger.com/profile/01503616812076743415noreply@blogger.comBlogger9125tag:blogger.com,1999:blog-7122745763234660283.post-68868838434677680092011-04-07T10:01:00.340-07:002011-04-07T10:01:00.340-07:00Good work! Bests to Minded Security Team.<br /><br />MGXMassimiliano MGX Grazianihttp://www.mgx.itnoreply@blogger.comtag:blogger.com,1999:blog-7122745763234660283.post-30560486973618166422011-03-19T17:06:39.497-07:002011-03-19T17:06:39.497-07:00Where can I get anti malware device? And how much?engineering leveling guidehttp://engineering-leveling-guide.com/what-help-me-with-my-engineering-guidenoreply@blogger.comtag:blogger.com,1999:blog-7122745763234660283.post-2503932791191407482009-06-07T04:32:58.616-07:002009-06-07T04:32:58.616-07:00@Jimmy: Thank you<br /><br />@Travis: You are right. I think that separators and special characters should be filtered via Input Validation. In addition I would suggest to use some chroma, or a different font type (style and size) to better discriminate from the field and its properties.Giorgio Fedonhttp://www.blogger.com/profile/10261243238330266276noreply@blogger.comtag:blogger.com,1999:blog-7122745763234660283.post-87882563593690901472009-06-07T04:24:17.273-07:002009-06-07T04:24:17.273-07:00Hi Giorgio, very nice post. You mentioned &quot;Transfer Details&quot;, as it could be bad if they are not displayed on the external device.<br /><br />However I think thay displaying on a small LCD the transfer details could open social engineering attacks by abusing this field.<br /><br />E.g. Tranfer Detail: Name: Alice, Amount 100 <br />Could be very misleading<br /><br />Good post indeed. Travis LeeAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-7122745763234660283.post-69402592613372858112009-06-06T05:34:59.631-07:002009-06-06T05:34:59.631-07:00Really the social engineering attack could be very practical for luring the user of banking dongles. A surge is expected in such cases.Jimmyhttp://www.internetdongle.comnoreply@blogger.comtag:blogger.com,1999:blog-7122745763234660283.post-2929228929387404852009-05-22T12:03:33.833-07:002009-05-22T12:03:33.833-07:00You are correct mentioning "Transfer Details". "Transfer Details" may give more room for social engineering attacks if they are not displayed on the external device.<br /><br />Since the operator of the receiving institute make his decision upon the information contained in the data transfer, an attacker may forge particular subjects to push the operator in the wrong direction. <br /><br />E.g. Inserting some information related to the attacker e.g. Surname, name, etc.. (real owner of destination account)Giorgio Fedonhttp://www.blogger.com/profile/10261243238330266276noreply@blogger.comtag:blogger.com,1999:blog-7122745763234660283.post-33038805691755611342009-05-22T11:51:41.581-07:002009-05-22T11:51:41.581-07:00I had some security thoughts reading the article. I think that is a pretty known issue, but you give new implications connecting it to Antimalware solutions.<br /><br />You did not mention the transfer details. They need to be changed?Dr. D. Travisnoreply@blogger.comtag:blogger.com,1999:blog-7122745763234660283.post-20769582847421132652009-05-22T11:28:48.251-07:002009-05-22T11:28:48.251-07:00As mentioned in the article the described social engineering attack could be very practical for luring the user of "banking dongles" into confirming the transaction. Anti-Malware devices are still not very common, so attacks like the one mentioned are more likely to be encountered in the near future.Giorgio Fedonhttp://www.blogger.com/profile/10261243238330266276noreply@blogger.comtag:blogger.com,1999:blog-7122745763234660283.post-398399793035381002009-05-22T04:25:00.508-07:002009-05-22T04:25:00.508-07:00Nice Article. <br /><br />Did you have observed any fraud attempt trying to force you so called recipient bank "discretionary controls"?Francois Deranoreply@blogger.com