Nick Owen <[EMAIL PROTECTED]> writes: > It would seem simple to thwart such a trojan with strong authentication > simply by requiring a second one-time passcode to validate the > transaction itself in addition to the session.
Far better would be to have a token with a display attached to the PC. The token will display a requested transaction to the user and only sign it if the user agrees. Because the token is a trusted piece of hardware that the user cannot install software on, it provides a trusted communications path to the user that the PC itself cannot. Perry --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]