Re[2]: The end of Phishing in sight?

[Pierre Vandevenne <pierre () datarescue com>]

Good Day,

FW> In Germany, we have both: two-factor authentication and phishing.
FW> This should tell you something about the effectiveness of two-factor
FW> authentication. *sigh*

Well, it's not a question of agreeing or disagreeing - just thinking
about it. Do you have any links to successful phising cases involving
both password/login combos and tokens supporting digital signatures?
I'd really like see the details of such cases.

With MITM being the magic bullet, I don't doubt it could work in some
cases. But targeting a ssl web site where the customer has safely gone
before, carrying an MITM on the login, executing an operation and
convincing the customer to sign for it (for example by substituting
another operation) and relying on the customer who is logged not
seeing that the pending operation isn't the one he signed for is
really much more involved than stealing a login. I am sure
implementations will differ and some of them will be better than
others though.

note: I have no link to that industry and would have resented having
to pay for the token if I had had to.

-- 
Best regards,
 Pierre                            mailto:pierre () datarescue com

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.