[WEB SECURITY] New two-stage login procedure
H. Morrow Long
morrow.long at yale.edu
Wed Dec 13 15:33:11 EST 2006
ANI can be spoofed and apparently
Caller-ID can now be spoofed as well:
http://www.msnbc.msn.com/id/11624504/
- H. Morrow Long, CISSP, CISM, CEH
University Information Security Officer
Director -- Information Security Office
Yale University, ITS
On Dec 13, 2006, at 12:22 PM, Esteban Ribičić wrote:
> sorry...i mean ANI ... bloody spell corrector!!
>
> On 12/13/06, Esteban Ribičić <kisero at gmail.com> wrote:
> the problem with the sms is they might not reach destination due
> third party problems (carrires, etc) i used that as a token for my
> company vpn system...
>
> a smarter would be:
>
> 1) user calls from a defined number (mobile) to a pbx
> 2) pbx checks any and ask for a code
> 3) pbx replies with a token
>
> user logs with this normal credentials (bank account and password)
> + token + "common pool of questions".
>
> its not expensive...asterisk can do it.
>
> my 5p
>
>
> On 12/13/06, Brian Eaton <eaton.lists at gmail.com > wrote:
> On 12/13/06, Brian Eaton < eaton.lists at gmail.com> wrote:
> > They ask for three digits, so there
> > are 1000 possibilities.
>
> <blush>
>
> I can't count. They ask for three digits, but order doesn't matter.
> Assuming they won't ask for you to enter the same digit multiple
> times, there are 120 possibilities, not 1000.
>
> Whoops.
>
> Regards,
> Brian
>
> ----------------------------------------------------------------------
> ------
> The Web Security Mailing List:
> http://www.webappsec.org/lists/websecurity/
>
> The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20061213/d552c70f/attachment.html>
More information about the websecurity
mailing list