[19827] in bugtraq
Re: otp - the next generation
daemon@ATHENA.MIT.EDU (Tristam Fenton-May)
Fri Mar 23 20:11:40 2001
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Message-ID: <20010323155941.A6749@earth.li>
Date: Fri, 23 Mar 2001 15:59:41 +0000
Reply-To: Tristam Fenton-May <tfm@EARTH.LI>
From: Tristam Fenton-May <tfm@EARTH.LI>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.LNX.4.33.0103220058010.31917-100000@unix.developers.of.pl>;
from lluzar@DEVELOPERS.OF.PL on Thu, Mar 22,
2001 at 01:36:23AM +0100
On Thu, Mar 22, 2001 at 01:36:23AM +0100, Lukasz Luzar wrote:
>
> How does it work ?
> ==================
>
> When you want to log into the server from an untrusted network,
> then you send a SMS message with your real login and password
> (e.g. "john 12blah45") in the body of message to the GSM phone
> connected to the server.
Surely this means that anyone who gets tempory access to your
mobile phone only needs to look at the outgoing messages which
are left stored in your phone to find your plain-text
username/password? Considering the places people leave their
phones - this seems like a bad idea.
--
TFM
