[WEB SECURITY] New two-stage login procedure

Brian Eaton eaton.lists at gmail.com
Wed Dec 13 16:53:16 EST 2006

On 12/13/06, James Landis <jcl24 at cornell.edu> wrote:
> I'm not sure I see how requiring both PINs at the same time is any more
> challenging for phishers than requiring one before the other. If anything,
> asking for both at the same time is _easier_ for phishers.

The protocol would, ideally, go like this:
- user views web site and enters their user-id
- web site demonstrates that it recognizes the user by sending them a
text message
- user receives the text message, then enters their PIN and the text
message together.
- bank verifies that both the PIN and the text message are correct.

In theory, users shouldn't enter their PIN until they see the text
message from the bank.  That would keep phishers from stealing PINs,
at least until they get their MITM proxy working.

In practice, you may be right.  Users who aren't paying attention will
happily provide a phishing site with both their user-id and their PIN.
 And probably their mother's maiden name, and maybe their mom's phone
number to boot.


The Web Security Mailing List: 

The Web Security Mailing List Archives: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

More information about the websecurity mailing list