AOL Help : About AOL® PassCode
Ian G
iang at systemics.com
Thu Jan 6 08:10:31 EST 2005
Joerg Schneider wrote:
> So, PassCode and similar forms of authentication help against the
> current crop of phishing attacks, but that is likely to change if
> PassCode gets used more widely and/or protects something of interest
> to phishers.
>
> Actually I have been waiting for phishing with MITM to appear for some
> time (I haven't any yet ...
By this you mean a dynamic, immediate MITM where
the attacker proxies through to the website in real
time?
Just as a point of terms clarification, I would say that
if the attacker collects all the information by using
a copy of the site, and then logs in later at leisure
to the real site, that's an MITM.
(If he were to use that information elsewhere, so for
example creating a new credit arrangement at another
bank, then that technically wouldn't be an MITM.)
Perhaps we need a name for this: real time MITM
versus delayed time MITM? Batch time MITM?
> Assuming that MITM phishing will begin to show up and agreeing that
> PassCode over SSL is not the solution - what can be done to counter
> those attacks?
The user+client has to authenticate the server. Everything
that I've seen over the last two years seems to fall into
that one bucket.
> Mutual authentication + establishment of a secure channel should do
> the trick. SSL with client authentication comes to my mind...
Maybe. But that only addresses the MITM, not the
theft of user information.
--
News and views on what matters in finance+crypto:
http://financialcryptography.com/
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list