* Ian G.: > R.A. Hettinga wrote: > >><http://help.channels.aol.com/article.adp?catId=6&sCId=415&sSCId=4090&articleId=217623> >>Have questions? Search AOL Help articles and tutorials: >>..... >>If you no longer want to use AOL PassCode, you must release your screen >>name from your AOL PassCode so that you will no longer need to enter a >>six-digit code when you sign on to any AOL service. >> >>To release your screen name from your AOL PassCode >> 1. Sign on to the AOL service with the screen name you want to >> release from your AOL PassCode. >> > > OK. So all I have to do is craft a good reason to > get people to reset their PassCode, craft it into > a phishing mail and send it out?
I think you can forward the PassCode to AOL once the victim has entered it on a phishing site. Tokens à la SecurID can only help if the phishing schemes *require* delayed exploitation of obtained credentials, and I don't think we should make this assumption. Online MITM attacks are not prevented. (Traditional IPsec XAUTHis problematic for the very same reason, even with a SecurID token lookalike.) --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]