WebApp Sec mailing list archives
RE: limits of end-user "testing"
From: Luke Fraser <LFraser () soltrus com>
Date: Thu, 17 Nov 2005 09:39:30 -0500
This doesn't prevent phishing per se. I can setup a phishing site that
acts as a man in the middle proxy to the > > bank's site. You log into my site, I log into the bank's site, get a challenge, send the number to you the
victim, you reply and I forward it to the bank, voila.
I had a conversation with a 2-factor authentication vendor a few weeks ago about this. His comment was that this kind of thing was possible, but the damage that can be done is mitigated by the bank's fraud detection systems. If a phisher were to compromise an account they would only have one session to conduct any fraudulent transactions and this type of activity is easily spotted by most banks' fraud systems. If an attacker wanted to evade the fraud detection systems they'd have to conduct small transactions over multiple sessions, which isn't possible with one-time password type authentication (unless they can phish the credentials multiple times). This makes sense to me, but can anyone confirm that banks fraud detection systems are this good? Luke
Current thread:
- limits of end-user "testing" Jeff Robertson (Nov 17)
- Re: limits of end-user "testing" Andrew van der Stock (Nov 17)
- Re: limits of end-user "testing" Kurt Seifried (Nov 17)
- Re: limits of end-user "testing" Andrew van der Stock (Nov 17)
- Re: limits of end-user "testing" Javier Fernandez-Sanguino (Nov 22)
- Re: limits of end-user "testing" Daniel (Nov 27)
- Re: limits of end-user "testing" Kurt Seifried (Nov 17)
- Re: limits of end-user "testing" Javier Fernandez-Sanguino (Nov 22)
- Re: limits of end-user "testing" Andrew van der Stock (Nov 17)
- <Possible follow-ups>
- RE: limits of end-user "testing" Luke Fraser (Nov 17)
- Re: limits of end-user "testing" byte_jump (Nov 17)