Joerg Schneider wrote:
So, PassCode and similar forms of authentication help against the
current crop of phishing attacks, but that is likely to change if
PassCode gets used more widely and/or protects something of interest
to phishers.
Actually I have been waiting for phishing with MITM to appear for some
time (I haven't any yet ...
By this you mean a dynamic, immediate MITM where
the attacker proxies through to the website in real
time?
Just as a point of terms clarification, I would say that
if the attacker collects all the information by using
a copy of the site, and then logs in later at leisure
to the real site, that's an MITM.
(If he were to use that information elsewhere, so for
example creating a new credit arrangement at another
bank, then that technically wouldn't be an MITM.)
Perhaps we need a name for this: real time MITM
versus delayed time MITM? Batch time MITM?
Assuming that MITM phishing will begin to show up and agreeing that
PassCode over SSL is not the solution - what can be done to counter
those attacks?
The user+client has to authenticate the server. Everything
that I've seen over the last two years seems to fall into
that one bucket.
Mutual authentication + establishment of a secure channel should do
the trick. SSL with client authentication comes to my mind...
Maybe. But that only addresses the MITM, not the
theft of user information.
--
News and views on what matters in finance+crypto:
http://financialcryptography.com/
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
