[WEB SECURITY] Phishing attacks circumventing two-factor auth

Brian Eaton eaton.lists at gmail.com
Mon Jul 10 19:40:39 EDT 2006


On 7/10/06, dpw <dainw at fsr.com> wrote:
> For any mission critical applications, lately I have been using a
> server-side generated "magic hash" key that I generate when the form is
> loaded, and which gets posted along with my forms.

That's not a bad idea, but it wouldn't have helped here.  This sounds
like classic MITM.

The two-factor authentication solution should reduce the damage from
this attack.  The phishers probably made some cash from this scam, but
once the site was taken down the game was over.  They shouldn't be
able to use the stolen passwords without the tokens to go along with
them.

Regards,
Brian

----------------------------------------------------------------------------
The Web Security Mailing List: 
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]



More information about the websecurity mailing list