Hi Lance, On Fri, Sep 08, 2006 at 10:26:45AM -0700, Lance James wrote: > > Another problem from what I see with Malware that steals data is the > formgrabbing and "on event" logging of data. Malware can detect if > SecureID is being used based on targeted events, example: Say HSBC > (Hypothetical example, not targeting HSBC) has two-factor logins in > place, the problem with this is that it is vulnerable to session riding > and trojan-in-the-middle attacks anyway, because the minute the user > logs in, the malware could launder money out (unless transaction auth is > in place, which in most cases it's not), or they could pharm the user > with a fake website that resolves as HSBC but they go in within the time > frame of that token being valid and have access. Either way, however you > cut it, SecureID/Two-Factor User auth is not protected against malware, > period.
Partly agreed. These kinds of attacks I usually teach in my workshops. However, in all of these cases the attacker has to be online in the moment you are logging in and you experience any failure, e.g. can't login or something like that. But with the SID800 malware could silently sit in the background and pass token codes to the attacker even if you do not login at this moment. E.g. it could wait until you have logged in (or out) and grap the next token code. Furthermore, the attack you described presumes that the attacker knows where you want to login. But when you could use the current token code as an indicator for searching login data in the input stream, then you can find new places to login, e.g. your company VPN access point. While the attack you describe is more important for banking, the USB attack is more against company logins. regards Hadmut --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]