[WEB SECURITY] New two-stage login procedure

James Landis jcl24 at cornell.edu
Wed Dec 13 16:43:09 EST 2006


I'm not sure I see how requiring both PINs at the same time is any more
challenging for phishers than requiring one before the other. If anything,
asking for both at the same time is _easier_ for phishers.

On 12/13/06, Brian Eaton <eaton.lists at gmail.com> wrote:
>
> On 12/13/06, James Landis <jcl24 at cornell.edu> wrote:
> > The PIN plus alternate channel process (e.g. cell phone text message)
> needs
> > to require a valid PIN _before_ generating the text message with the
> second
> > PIN for authentication. Otherwise, text spamming is possible. While this
> can
> > be limited to one spam per user, that could still add up to a lot of
> spam.
>
> Humph.  This is an unfortunate choice to have to make.
>
> If you make someone give up the PIN before you send the text message,
> phishers have an easier time stealing PINs.
>
> If you send the text message first, pranksters can annoy your end users.
>
> I might go ahead and send the text message first, on the grounds that
> pranksters won't find this prank all that amusing, whereas phishers
> may be strongly motivated.
>
> Regards,
> Brian
>
>
> ----------------------------------------------------------------------------
> The Web Security Mailing List:
> http://www.webappsec.org/lists/websecurity/
>
> The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20061213/84fc2330/attachment.html>


More information about the websecurity mailing list