Phishers Defeat 2-Factor Auth
James A. Donald
jamesd at echeque.com
Tue Jul 11 17:30:14 EDT 2006
Lance James wrote:
> The site asks for your user name and password, as well as the
> token-generated key. If you visit the site and enter bogus information to
> test whether the site is legit -- a tactic used by some security-savvy
> people -- you might be fooled. That's because this site acts as the "man in
> the middle" -- it submits data provided by the user to the actual
> Citibusiness login site. If that data generates an error, so does the
> phishing site, thus making it look more real.
So long as logins are registered and performed in a web page, rather
than in the chrome, we are hosed.
Creating a login, and logging into it, has to be a browser and email
client function, not a web page function.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list