[WEB SECURITY] New two-stage login procedure

Esteban Ribičić kisero at gmail.com
Wed Dec 13 17:20:52 EST 2006


Sorry, i dont get it. (yeahhh, im newwwww!!)

"In cryptography <http://en.wikipedia.org/wiki/Cryptography>, a
*man-in-the-middle
attack* (*MITM*) is an attack in which an attacker is able to read, insert
and modify at will, messages between two parties without either party
knowing that the link between them has been compromised"

could you explain further more? i cant see the relationship.

User has a password for the site, a code (like 4 digit atm code).
He calls, input that 4 digit code , he gets a token.

He logs on the site, user + password.

Whats wrong?

On 12/13/06, Nick Owen <nowen at wikidsystems.com> wrote:
>
> And it would still be susceptible to a MITM attack, like all 2FA schemes
> focused solely on session auth.
>
> Here is my question:  Is it possible to do strong mutual authentication
> without using cryptography?  Are the FIs fooling themselves to think
> otherwise?
>
> nick
>
> Brian Eaton wrote:
> > On 12/13/06, Esteban Ribičić <kisero at gmail.com> wrote:
> >> a smarter would be:
> >>
> >> 1) user calls from a defined number (mobile) to a pbx
> >> 2) pbx checks any and ask for a code
> >> 3) pbx replies with a token
> >>
> >> user logs with this normal credentials (bank account and password) +
> >> token +
> >> "common pool of questions".
> >>
> >> its not expensive...asterisk can do it.
> >
> > Caller ID spoofing seems like a problem with this system:
> >
> > http://www.securityfocus.com/news/9822
> >
> > Regards,
> > Brian
>
> --
> Nick Owen
> WiKID Systems, Inc.
> 404.962.8983
> http://www.wikidsystems.com
> Commercial/Open Source Two-Factor Authentication
> https://www.linkedin.com/in/nickowen
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20061213/d59df6c9/attachment.html>


More information about the websecurity mailing list