[LINK] Phishing past two-factor authentication
Adrian Chadd
adrian at creative.net.au
Fri Apr 20 14:29:52 AEST 2007
On Fri, Apr 20, 2007, Craig Sanders wrote:
> this is vulnerable to theft of the token device. it's also vulnerable
> if the algorithm being used is easily cracked. but any attacker also
> needs the login/password to make use of a stolen token. the advantage
> over digital certificates is that they're physically isolated from the
> computer so an attacker can't steal both auth. factors at the same time.
>
> i.e. an attacker has to make both a physical theft AND a digital theft
> (e.g. via virus or via social engineering) in order to gain access to the
> account.
Nah, it just requires some malware and a MIM with a much, much smarter M in
the M (ie, it acts as much as a tunnel passing your credentials back and
forth until you're able to make a money transfer - then it goes to work.)
In fact, if you want to be thorough you'd require the end-client to verify
each transaction so a smarter M in the M couldn't just substitute their
bank account details for your intended destination and send money off..
Adrian
More information about the Link
mailing list