[WEB SECURITY] New two-stage login procedure

H. Morrow Long morrow.long at yale.edu
Wed Dec 13 15:33:11 EST 2006


ANI can be spoofed and apparently
Caller-ID can now be spoofed as well:

http://www.msnbc.msn.com/id/11624504/

- H. Morrow Long, CISSP, CISM, CEH
   University Information Security Officer
   Director -- Information Security Office
   Yale University, ITS



On Dec 13, 2006, at 12:22 PM, Esteban Ribičić wrote:

> sorry...i mean ANI ... bloody spell corrector!!
>
> On 12/13/06, Esteban Ribičić <kisero at gmail.com> wrote:
> the problem with the sms is they might not reach destination due  
> third party problems (carrires, etc) i used that as a token for my  
> company vpn system...
>
> a smarter would be:
>
> 1) user calls from a defined number (mobile) to a pbx
> 2) pbx checks any and ask for a code
> 3) pbx replies with a token
>
> user logs with this normal credentials (bank account and password)  
> + token + "common pool of questions".
>
> its not expensive...asterisk can do it.
>
> my 5p
>
>
> On 12/13/06, Brian Eaton <eaton.lists at gmail.com > wrote:
> On 12/13/06, Brian Eaton < eaton.lists at gmail.com> wrote:
> > They ask for three digits, so there
> > are 1000 possibilities.
>
> <blush>
>
> I can't count.  They ask for three digits, but order doesn't matter.
> Assuming they won't ask for you to enter the same digit multiple
> times, there are 120 possibilities, not 1000.
>
> Whoops.
>
> Regards,
> Brian
>
> ---------------------------------------------------------------------- 
> ------
> The Web Security Mailing List:
> http://www.webappsec.org/lists/websecurity/
>
> The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20061213/d552c70f/attachment.html>


More information about the websecurity mailing list