Circle Bank plays with two-factor authentication
Florian Weimer
fw at deneb.enyo.de
Sat Sep 30 05:44:58 EDT 2006
* Steven M. Bellovin:
> Again -- the scheme isn't foolproof, but it's probably *good enough*.
I agree that if you consider this scheme in isolation, it's better
than plain user names and passwords. But I wonder if it significantly
increases customer confusion because banks told their customer that
they won't *ask* for credentials via email, but now a bank is
*sending* them by email.
> As for keystroke loggers -- the bad guy would have to capture enough table
> entries that they'd have a reasonable probability of seeing challenges
> they'd already received.
If this technology enters the attacker's radar screen, the "keystroke
logger" would be changed to scan mail folders for the message sent by
the bank. Or it would alter the login page to display an empty
matrix, without any further explanations. 8-/
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list