[30607] in cryptography@c2.net mail archive
Re: Phishers Defeat 2-Factor Auth
daemon@ATHENA.MIT.EDU (James A. Donald)
Wed Jul 12 09:38:51 2006
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Wed, 12 Jul 2006 07:30:14 +1000
From: "James A. Donald" <jamesd@echeque.com>
To: cryptography@metzdowd.com
In-Reply-To: <20060710220818.D816640EDF4@warmerbythelake.com>
Lance James wrote:
> The site asks for your user name and password, as well as the
> token-generated key. If you visit the site and enter bogus information to
> test whether the site is legit -- a tactic used by some security-savvy
> people -- you might be fooled. That's because this site acts as the "man in
> the middle" -- it submits data provided by the user to the actual
> Citibusiness login site. If that data generates an error, so does the
> phishing site, thus making it look more real.
So long as logins are registered and performed in a web page, rather
than in the chrome, we are hosed.
Creating a login, and logging into it, has to be a browser and email
client function, not a web page function.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
