WebApp Sec mailing list archives
Re: limits of end-user "testing"
From: "Kurt Seifried" <bt () seifried org>
Date: Thu, 17 Nov 2005 05:38:50 -0700
a) have two factor transaction signing (SMS or token based) to prevent unauthorized transfers via phishing
This doesn't prevent phishing per se. I can setup a phishing site that acts as a man in the middle proxy to the bank's site. You log into my site, I log into the bank's site, get a challenge, send the number to you the victim, you reply and I forward it to the bank, voila.
I don't think two factor sign on authentication is much of a win against phishing, but it's better than passwords when you have to use potentially trojan'd or untrustworthy computers.
I think people are actually much worse off potentially beccause it will strengthen the bank's case that they were diligent in protecting you the customer, and despite failing they're not to blame and you the customer are left holding the bill (or in this case an empty account).
-Kurt
Current thread:
- limits of end-user "testing" Jeff Robertson (Nov 17)
- Re: limits of end-user "testing" Andrew van der Stock (Nov 17)
- Re: limits of end-user "testing" Kurt Seifried (Nov 17)
- Re: limits of end-user "testing" Andrew van der Stock (Nov 17)
- Re: limits of end-user "testing" Javier Fernandez-Sanguino (Nov 22)
- Re: limits of end-user "testing" Daniel (Nov 27)
- Re: limits of end-user "testing" Kurt Seifried (Nov 17)
- Re: limits of end-user "testing" Javier Fernandez-Sanguino (Nov 22)
- Re: limits of end-user "testing" Andrew van der Stock (Nov 17)
- <Possible follow-ups>
- RE: limits of end-user "testing" Luke Fraser (Nov 17)
- Re: limits of end-user "testing" byte_jump (Nov 17)