[17297] in cryptography@c2.net mail archive
Re: Citibank discloses private information to improve security
daemon@ATHENA.MIT.EDU (Anne & Lynn Wheeler)
Tue May 31 16:45:02 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Tue, 31 May 2005 14:31:13 -0600
From: Anne & Lynn Wheeler <lynn@garlic.com>
To: "Steven M. Bellovin" <smb@cs.columbia.edu>
Cc: Adam Fields <cryptography23094893@aquick.org>,
"James A. Donald" <jamesd@echeque.com>,
"cryptography@metzdowd.com" <cryptography@metzdowd.com>
In-Reply-To: <20050531200639.0275D3BFFF9@berkshire.machshav.com>
Steven M. Bellovin wrote:
> Bank of America is adopting some new schemes that might help. First,
> they're asking users to select a picture the user selected at
> registration time. The theory is presumably that a phishing site won't
> have the right image for you. Second, you can "register" your
> computer; if your account is accessed from another computer, additional
> authentication is demanded, thus rendering a compromised password much
> less useful.
>
> I think both schemes will help; I doubt that either will stop the
> problems.
>
>
> http://www.bankofamerica.com/newsroom/press/press.cfm?PressID=press.20050526.03.htm
but they appear to be vulnerable to MITM-attacks
a recent thread
http://seclists.org/lists/fulldisclosure/2005/May/0629.html
http://seclists.org/lists/fulldisclosure/2005/May/0637.html
http://seclists.org/lists/fulldisclosure/2005/May/0639.html
http://seclists.org/lists/fulldisclosure/2005/May/0644.html
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
