[WEB SECURITY] New two-stage login procedure

nowen at wikidsystems.com nowen at wikidsystems.com
Thu Dec 14 07:49:27 EST 2006


The MITM is between the user and the valid website. There is no authentication of the host to the user.   


--
Nick Owen
CEO
404-962-8983
WiKID Systems, Inc. 
http://www.wikidsystems.com
Commercial/Open Source Two-Factor Authentication    

-----Original Message-----
From: "Esteban Ribičić" <kisero at gmail.com>
Date: Wed, 13 Dec 2006 22:20:52 
To:"Nick Owen" <nowen at wikidsystems.com>
Cc:"Brian Eaton" <eaton.lists at gmail.com>, "Web Security" <websecurity at webappsec.org>
Subject: Re: [WEB SECURITY] New two-stage login procedure

Sorry, i dont get it. (yeahhh, im newwwww!!) 
  
"In cryptography: <http://en.wikipedia.org/wiki/Cryptography> , a man-in-the-middle attack (MITM) is an attack in which an attacker is able to read, insert and modify at will, messages between two parties without either party knowing that the link between them has been compromised" 
  
could you explain further more? i cant see the relationship. 
  
User has a password for the site, a code (like 4 digit atm code). 
He calls, input that 4 digit code , he gets a token. 
  
He logs on the site, user + password. 
  
Whats wrong? 
  
On 12/13/06, Nick Owen <nowen at wikidsystems.com: <mailto:nowen at wikidsystems.com> > wrote: And it would still be susceptible to a MITM attack, like all 2FA schemes
focused solely on session auth. 

Here is my question:  Is it possible to do strong mutual authentication
without using cryptography?  Are the FIs fooling themselves to think
otherwise?

nick

Brian Eaton wrote:
> On 12/13/06, Esteban Ribičić < kisero at gmail.com: <mailto:kisero at gmail.com> > wrote:
>> a smarter would be:
>>
>> 1) user calls from a defined number (mobile) to a pbx
>> 2) pbx checks any and ask for a code 
>> 3) pbx replies with a token
>>
>> user logs with this normal credentials (bank account and password) +
>> token +
>> "common pool of questions".
>>
>> its not expensive...asterisk can do it. 
>
> Caller ID spoofing seems like a problem with this system:
>
> http://www.securityfocus.com/news/9822: <http://www.securityfocus.com/news/9822> 
>
> Regards,
> Brian 

--
Nick Owen
WiKID Systems, Inc.
404.962.8983
http://www.wikidsystems.com: <http://www.wikidsystems.com> 
Commercial/Open Source Two-Factor Authentication

https://www.linkedin.com/in/nickowen: <https://www.linkedin.com/in/nickowen> 

 


More information about the websecurity mailing list