[17741] in cryptography@c2.net mail archive
Re: the limits of crypto and authentication
daemon@ATHENA.MIT.EDU (Lance James)
Sat Jul 9 17:38:33 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Sat, 09 Jul 2005 11:05:48 -0700
From: Lance James <lancej@securescience.net>
To: "Steven M. Bellovin" <smb@cs.columbia.edu>
Cc: cryptography@metzdowd.com
In-Reply-To: <20050708190647.374493BFE55@berkshire.machshav.com>
Steven M. Bellovin wrote:
>There's been a lot of discussion about how to strengthen cryptography
>and authentication, to get away from problems of phishing, pharming,
>etc. But such approaches can take you only so far, as this link
>indicates:
>
>http://www.lurhq.com/grams.html
>
>Briefly, it's a Trojan that waits for you to log int o E-Gold, checks
>your balance, and drains your account except for .004 grams of gold.
>
>
There is a possible solution against an OLE event driven session rider
such as this one. The solution I proposed was to use a variant of
CAPTCHA that would add mutual authentication in the mix within the
picture. Yes, there are some people that say CAPTCHA can be broken, but
in the game of phishing, it's abouit numbers, not about silver bullets.
The way to get around the "porn" CAPTCHA problem was to ask something
that the user might only know and then ask the user about the activity
they are performing.
This would stop this instance of E-gold attacks.
> --Steven M. Bellovin, http://www.cs.columbia.edu/~smb
>
>
>
>---------------------------------------------------------------------
>The Cryptography Mailing List
>Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
>
>
>
>
--
Best Regards,
Lance James
Secure Science Corporation
www.securescience.net
Author of 'Phishing Exposed'
http://www.securescience.net/amazon/
Find out how malware is affecting your company: Get a DIA account today!
https://slam.securescience.com/signup.cgi - it's free!
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
