On Thu, 24 May 2001 10:59:00 +0300, Henri Sivonen <[EMAIL PROTECTED]>
somehow managed to type:
>When I log in to the back, I give the next unused login password on my
>password sheet. That password is not used again. When I am done setting
>up transactions, I have to recheck the list of transactions to verify
>that a man in the middle has added transactions to the list. Then the
>bank system tells me which one of the confirmation password to use.
>
>This system was designed to prevent man in the middle attacks in the
>days of unencrypted telnet and modem connections.
The one-time passwords are a very good idea, but the confirmation password
really doesn't win you anything - the hypothetical man in the middle can
present you with a faked up confirmation page so you never see the
transactions he's inserted, but he gets the confirmation code he needs.
Charles Miller
