there have always been lots of problems with shared-secrets in general ... and especially things that aren't necessarily all that secret ... but easy for people to remember. the aads activity http://www.garlic.com/~lynn/index.html#aads
has always been about being able to substitute non-shared-secret paradigm for shared-secret paradigm as method of authentication. the above url has lots of references of such a paradigm ... including a hardware token implementation. in a larger sense .... this falls into the taxonomy of general skimming/harvesting which in one form or another affects a lot of the payment card industry. some past fraud related postings http://www.garlic.com/~lynn/subtopic.html#fraud a related but different harvesting technique ... also addressed by a non-shared-secret paradigm; aka most shaerd-secret exploits can be addressed by migrating to a non-shared-secret paradigm http://www.garlic.com/~lynn/2001h.html#61 security proportional to risk and only somewhat related ... my merged security taxonomy & glossary http://www.garlic.com/~lynn/secure.htm description of the sources: http://www.garlic.com/~lynn/index.html#glosnote
