Re[2]: The end of Phishing in sight?

[Pierre Vandevenne <pierre () datarescue com>]

Good Day,

Monday, October 17, 2005, 10:38:49 PM, you wrote:

SL>  I believe a SecurID token has a full 3-minute window of
SL> opportunity (more if you can get the user to enter two subsequent

Correct, there is a window of opportunity - it leads to valid logins
some times being rejected btw. But, in the implementation I am using,
signing an operation (such as a payment to the outside world) leads
you to yet another challenge-response, dependent on the bank account
one enters, the amount paid and the device ID one uses. It is
probably not totally impossible to do a new MITM attack against it,
but it raises the barrier a bit more. And then, the pattern of
possibly simultaneous hijacks an automated system generates should be
easier to spot for a bank once it knows or suspects a phishing
operation is occurring. If a phisher gets a non token protected ID, he
can use it whenever he pleases, possibly months after the hack, in a
very subtle way. He'll also have more time to empty the bank account
he transferred the money into.

More barriers, probably not perfect ones, but still - it does help.




-- 
Best regards,
 Pierre                            mailto:pierre () datarescue com

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.