Security through kittens, was Solving password problems
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Wed Feb 25 05:37:22 EST 2009
John Levine <johnl at iecc.com> writes:
>Clever though this scheme is, man-in-the middle attacks make it no better
>than a plain SSL login screen.
You don't even need a MITM, just replace the site image on your phishing site
with either a broken- image picture or a message that your award-winning
site-image software is being upgraded and will be back soon and it's rendered
totally ineffective. Ref: "The Emperor's New Security Indicators", Stuart
Schechter, Rachna Dhamija, Andy Ozment, and Ian Fischer. These things are as
worthless as most of the other wish-it-was-two-factor authentication methods
that US banks have deployed in reaction to the FFIEC guidance (in the case of
Sitekey, it's the top-rated URL for the Prg malware, indicating that it
presents no problem at all for the phishers). The best "two-factor" I've seen
to date is the New Horizons Community Credit Union, whose idea of two-factor
auth is "Oh, we got both kinds. We got user name *and* password".
Peter.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list