Security through kittens, was Solving password problems

Peter Gutmann pgut001 at cs.auckland.ac.nz
Wed Feb 25 05:37:22 EST 2009


John Levine <johnl at iecc.com> writes:

>Clever though this scheme is, man-in-the middle attacks make it no better
>than a plain SSL login screen.

You don't even need a MITM, just replace the site image on your phishing site 
with either a broken- image picture or a message that your award-winning 
site-image software is being upgraded and will be back soon and it's rendered 
totally ineffective. Ref: "The Emperor's New Security Indicators", Stuart 
Schechter, Rachna Dhamija, Andy Ozment, and Ian Fischer.  These things are as 
worthless as most of the other wish-it-was-two-factor authentication methods 
that US banks have deployed in reaction to the FFIEC guidance (in the case of 
Sitekey, it's the top-rated URL for the Prg malware, indicating that it 
presents no problem at all for the phishers).  The best "two-factor" I've seen 
to date is the New Horizons Community Credit Union, whose idea of two-factor 
auth is "Oh, we got both kinds.  We got user name *and* password".

Peter.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list