In message <[EMAIL PROTECTED]>, Nick Owen writes:
>It would seem simple to thwart such a trojan with strong authentication
>simply by requiring a second one-time passcode to validate the
>transaction itself in addition to the session.

How does the user know which transaction is really being authenticated?
(I alluded to this in a 1997 panel session talk; see )

                --Steven M. Bellovin,

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to