There has been some oblique discussion about phishing and MIM attacks. MIM attacks are a concern, in particular MIM attacks where the end user machine is compromized through a trojan are a very big concern. There is also concern about users typing passwords into entry forms presented by a MIM (classic phishing).
The use of dynamic credentials (One Time Passwords) does not protect against a MIM entry form attack but it does have a major impact on the criminals. Dynamic credentials can only be used once. That means that there is an upper bound on the fraud loss when phishing takes place since the number of transactions is limited. It also means that it is much harder to resell the credentials on a dumps market. A carder who buys 10,000 credit card numbers can test them out in a low value transaction such as buying a domain name before they go on to attempt a riskier high value transaction. Dynamic credentials can only be used once, the perp is put at much greater risk. The other advantage of dymanic credentials is that they are self healing. It is not necessary to reissue the token unless the customer actually lost it. _______________________________________________ dix mailing list [email protected] https://www1.ietf.org/mailman/listinfo/dix
