In message <[EMAIL PROTECTED]>, Nick Owen writes: >It would seem simple to thwart such a trojan with strong authentication >simply by requiring a second one-time passcode to validate the >transaction itself in addition to the session. >
How does the user know which transaction is really being authenticated? (I alluded to this in a 1997 panel session talk; see http://www.cs.columbia.edu/~smb/talks/ncsc-97/index.htm ) --Steven M. Bellovin, http://www.cs.columbia.edu/~smb --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]