[WEB SECURITY] New two-stage login procedure

Gervase Markham gerv at gerv.net
Wed Dec 13 14:07:47 EST 2006

Mark Mcdonald wrote:
> Inputting the PIN digits and the 'significant date' gives potential
> phishers even more information about the victim they could use to
> phone the bank and go to town with.

I'm not sure how the problem is increased here. Phishers get whatever 
password a site uses, whether it's a PIN or a date or what.

> Using randomly placed digits on a keypad prevents only a JS
> mouse-movement replay attack and allows anyone in the room to see
> what's being entered.

If the person is in the room, they probably have access to install 
loggers and so on. I think it's fair to focus on remote threats.


The Web Security Mailing List: 

The Web Security Mailing List Archives: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

More information about the websecurity mailing list