[WEB SECURITY] SiteKey
Nick Owen
nowen at wikidsystems.com
Tue Oct 31 17:13:58 EST 2006
Brian Eaton wrote:
> On 10/31/06, Steve Shah <sshah at risingedge.org
> <mailto:sshah at risingedge.org>> wrote:
>> Casual users are not likely to realize that an alternative
>> spelling or use of their banks' name in the URL should be
>> cause for concern. For example:
>>
>> <a href="http://www.bankofamericas.us">Bank of America</a>
>>
>> will seem legit even though it isn't. In other words, you
>> need not do something as complex as DNS spoofing to get
>> the traffic.
>
> This is one of the things I like about PassMark: these attacks may fool
> a user, but they won't fool a browser into sending the cookie to the
> wrong host.
That makes sense. I think that financial institutions might be better
off using something like sitekey and then using two-factor
authentication/OTPs for transaction authentication for high-risk
accounts. I don't really need 2FA session authentication for my IRA,
since the money never leaves. But my stock account is a different
story. I need to be able to react quickly and might move a lot of money
once in a blue moon.
Nick
--
Nick Owen
WiKID Systems, Inc.
404.962.8983
http://www.wikidsystems.com
Commercial/Open Source Two-Factor Authentication
https://www.linkedin.com/in/nickowen
----------------------------------------------------------------------------
The Web Security Mailing List:
http://www.webappsec.org/lists/websecurity/
The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
More information about the websecurity
mailing list