John Levine <> writes:

>Clever though this scheme is, man-in-the middle attacks make it no better
>than a plain SSL login screen.

You don't even need a MITM, just replace the site image on your phishing site 
with either a broken- image picture or a message that your award-winning 
site-image software is being upgraded and will be back soon and it's rendered 
totally ineffective. Ref: "The Emperor's New Security Indicators", Stuart 
Schechter, Rachna Dhamija, Andy Ozment, and Ian Fischer.  These things are as 
worthless as most of the other wish-it-was-two-factor authentication methods 
that US banks have deployed in reaction to the FFIEC guidance (in the case of 
Sitekey, it's the top-rated URL for the Prg malware, indicating that it 
presents no problem at all for the phishers).  The best "two-factor" I've seen 
to date is the New Horizons Community Credit Union, whose idea of two-factor 
auth is "Oh, we got both kinds.  We got user name *and* password".


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to

Reply via email to