|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Proposal to anti-phishing
From: Rogan Dawes (discard
dawes.za.net)
Date: Mon Jan 17 2005 - 01:58:24 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Lyal Collins wrote:
> To eapnd on this, there is nothing the stop the phisher capturing the entire
> session (i.e MITM tunneling), even using a valid OTP token to logon, and
> even a second OTP token to 'authenticate' a transaciton.
> With tunneling the entire session, the attacker can easily present the user
> with screens saying "transfer $200 to mum" while telling the banking site to
> 'transfer $1000 to joehacking.site.somewhere"
>
>
> Lyal
>
Exactly. And this is another reason to use SSL client certificates.
Because they are invulnerable (for large numbers of invulnerable ;-) to
MITM attacks.
Rogan
--
Rogan Dawes
*ALL* messages to discarddawes.za.net will be dropped, and added
to my blacklist. Please respond to "lists AT dawes DOT za DOT net"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]