> Such hardware devices are still vulnerable to fishing > attacks; by > modifying the transactions as they are approved, > attackers can piggy-back > rogue transactions on top of authorized transactions
Considering such devices (at least mine) are only used at login time, it would be extremely difficult, if not impossible to "piggy back" off of it. Because to get in the next time around, you'd need one of those again, and all the codes would have changed. As soon as one logs in, the codes are invalidated to begin with. The only attack in that case would be to get a hold of the device -- "going physical" again -- defeat the PIN (gets busted after being put in wrong three times) and reverse engineer the hashing algorithm. This message posted from opensolaris.org _______________________________________________ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org