[WEB SECURITY] New two-stage login procedure
Gervase Markham
gerv at gerv.net
Wed Dec 13 14:07:47 EST 2006
Mark Mcdonald wrote:
> Inputting the PIN digits and the 'significant date' gives potential
> phishers even more information about the victim they could use to
> phone the bank and go to town with.
I'm not sure how the problem is increased here. Phishers get whatever
password a site uses, whether it's a PIN or a date or what.
> Using randomly placed digits on a keypad prevents only a JS
> mouse-movement replay attack and allows anyone in the room to see
> what's being entered.
If the person is in the room, they probably have access to install
loggers and so on. I think it's fair to focus on remote threats.
Gerv
----------------------------------------------------------------------------
The Web Security Mailing List:
http://www.webappsec.org/lists/websecurity/
The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
More information about the websecurity
mailing list