On 30/09/13 18:35, Igor Bukanov wrote: > This stops lazy thieves that capture the password or one-time-codes > for later use while modifying original ones so a banking site would > reply with a password error page. This way the thieves do not need to > develop any fake pages etc. However, this is useless against more > sophisticated attacks that either replace the original banking page > entirely or patch its elements to minimize the work to emulate the > page design and then capture the passwords.
Why is this attack not thwarted by the use of external secure keys? That's what my bank has issued me. The one-time 6-digit PIN is tied to some transactional data (last 4 digits of tranferee account number) and so can't be captured and reused for a different transfer. This seems like a better route than trying to do secure transactions on an insecure machine. Gerv _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security