[144297] in cryptography@c2.net mail archive
Re: Security through kittens, was Solving password problems
daemon@ATHENA.MIT.EDU (Peter Gutmann)
Wed Feb 25 10:48:16 2009
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: cryptography@metzdowd.com, johnl@iecc.com
Cc: edgerck@nma.com
In-Reply-To: <20090224234157.30826.qmail@simone.iecc.com>
Date: Wed, 25 Feb 2009 23:37:22 +1300
John Levine <johnl@iecc.com> writes:
>Clever though this scheme is, man-in-the middle attacks make it no better
>than a plain SSL login screen.
You don't even need a MITM, just replace the site image on your phishing site
with either a broken- image picture or a message that your award-winning
site-image software is being upgraded and will be back soon and it's rendered
totally ineffective. Ref: "The Emperor's New Security Indicators", Stuart
Schechter, Rachna Dhamija, Andy Ozment, and Ian Fischer. These things are as
worthless as most of the other wish-it-was-two-factor authentication methods
that US banks have deployed in reaction to the FFIEC guidance (in the case of
Sitekey, it's the top-rated URL for the Prg malware, indicating that it
presents no problem at all for the phishers). The best "two-factor" I've seen
to date is the New Horizons Community Credit Union, whose idea of two-factor
auth is "Oh, we got both kinds. We got user name *and* password".
Peter.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
