Hadmut Danisch wrote: > Hi Lance, > > On Fri, Sep 08, 2006 at 10:26:45AM -0700, Lance James wrote: >> Another problem from what I see with Malware that steals data is the >> formgrabbing and "on event" logging of data. Malware can detect if >> SecureID is being used based on targeted events, example: Say HSBC >> (Hypothetical example, not targeting HSBC) has two-factor logins in >> place, the problem with this is that it is vulnerable to session riding >> and trojan-in-the-middle attacks anyway, because the minute the user >> logs in, the malware could launder money out (unless transaction auth is >> in place, which in most cases it's not), or they could pharm the user >> with a fake website that resolves as HSBC but they go in within the time >> frame of that token being valid and have access. Either way, however you >> cut it, SecureID/Two-Factor User auth is not protected against malware, >> period. > > > Partly agreed. These kinds of attacks I usually teach in my > workshops. > > However, in all of these cases the attacker has to be online in the > moment you are logging in and you experience any failure, e.g. can't > login or something like that. > > But with the SID800 malware could silently sit in the background and > pass token codes to the attacker even if you do not login at this > moment. E.g. it could wait until you have logged in (or out) and grap > the next token code. > > Furthermore, the attack you described presumes that the attacker knows > where you want to login. But when you could use the current token code > as an indicator for searching login data in the input stream, then you > can find new places to login, e.g. your company VPN access point. > > While the attack you describe is more important for banking, the USB > attack is more against company logins. >
Agreed, and since my research is focused on online banking I can see yours and my point, either way, SecurID should not be the only concept for dependence. > regards > Hadmut > > > -- Best Regards, Lance James Secure Science Corp. http://www.securescience.net --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
