funsec mailing list archives
Re[2]: The end of Phishing in sight?
From: Pierre Vandevenne <pierre () datarescue com>
Date: Mon, 17 Oct 2005 22:57:18 +0200
Good Day, Monday, October 17, 2005, 10:38:49 PM, you wrote: SL> I believe a SecurID token has a full 3-minute window of SL> opportunity (more if you can get the user to enter two subsequent Correct, there is a window of opportunity - it leads to valid logins some times being rejected btw. But, in the implementation I am using, signing an operation (such as a payment to the outside world) leads you to yet another challenge-response, dependent on the bank account one enters, the amount paid and the device ID one uses. It is probably not totally impossible to do a new MITM attack against it, but it raises the barrier a bit more. And then, the pattern of possibly simultaneous hijacks an automated system generates should be easier to spot for a bank once it knows or suspects a phishing operation is occurring. If a phisher gets a non token protected ID, he can use it whenever he pleases, possibly months after the hack, in a very subtle way. He'll also have more time to empty the bank account he transferred the money into. More barriers, probably not perfect ones, but still - it does help. -- Best regards, Pierre mailto:pierre () datarescue com _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- The end of Phishing in sight? Fergie (Paul Ferguson) (Oct 17)
- Re: The end of Phishing in sight? Paul Schmehl (Oct 17)
- Re[2]: The end of Phishing in sight? Pierre Vandevenne (Oct 17)
- RE: The end of Phishing in sight? Richard M. Smith (Oct 17)
- RE: The end of Phishing in sight? Nick FitzGerald (Oct 17)
- Re: The end of Phishing in sight? Dave Killion (Oct 17)
- Re: The end of Phishing in sight? Security Lists (Oct 17)
- Re[2]: The end of Phishing in sight? Pierre Vandevenne (Oct 17)
- RE: Re[2]: The end of Phishing in sight? Richard M. Smith (Oct 17)
- Re: Re[2]: The end of Phishing in sight? Valdis . Kletnieks (Oct 17)
- Re[4]: The end of Phishing in sight? Pierre Vandevenne (Oct 17)
- Speaking of phishing xyberpix (Oct 18)
- Re: Speaking of phishing Richard Cox (Oct 18)
- Re: Speaking of phishing xyberpix (Oct 19)
- Re: The end of Phishing in sight? Paul Schmehl (Oct 17)
- Re: The end of Phishing in sight? Blue Boar (Oct 17)
- Re: The end of Phishing in sight? Justin Mason (Oct 17)
- Re: The end of Phishing in sight? Valdis . Kletnieks (Oct 17)