Terrifying
I work in a software security lab. We spend a lot of time trying to think of ways to defend against phishing, identity theft, etc. So when a tool like gdMoney comes along, I get a little creeped out.
gdMoney is a Google Desktop Widget, that runs in the Google Desktop app, and periodically sniffs credit card transactions. The gdMoney site doesn’t explain how the plugin works, but it’s probably a screen scraper that hits the credit card’s website and scrapes the list of transactions. Which suggests it can log into your account. If it can log into your account, then it has your username and password. If it has your username and password, then any passing virus or worm can also acquire your username and password.
Right now, gdMoney only supports reading AmEx balances. Which is good, because it looks like the AmEx site is sufficiently limited to prevent money from being moved around. But I doubt that’s true for other online financial institutions.
The idea behind gdMoney is great, but the problem is the implementation. Until financial institutions publish secure “read only” feeds about customers, then tools like gdMoney will be another vector for attack. Why? Because they store the user’s financial credentials on an insecure medium.
I work in a software security lab.
I find that really hard to believe. I don’t think that there is much “work” getting done.
MG