Steven M. Bellovin wrote:
There's been a lot of discussion about how to strengthen cryptography
and authentication, to get away from problems of phishing, pharming,
etc. But such approaches can take you only so far, as this link
indicates:
http://www.lurhq.com/grams.html
Briefly, it's a Trojan that waits for you to log int o E-Gold, checks
your balance, and drains your account except for .004 grams of gold.
There is a possible solution against an OLE event driven session rider
such as this one. The solution I proposed was to use a variant of
CAPTCHA that would add mutual authentication in the mix within the
picture. Yes, there are some people that say CAPTCHA can be broken, but
in the game of phishing, it's abouit numbers, not about silver bullets.
The way to get around the "porn" CAPTCHA problem was to ask something
that the user might only know and then ask the user about the activity
they are performing.
This would stop this instance of E-gold attacks.
--Steven M. Bellovin, http://www.cs.columbia.edu/~smb
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
--
Best Regards,
Lance James
Secure Science Corporation
www.securescience.net
Author of 'Phishing Exposed'
http://www.securescience.net/amazon/
Find out how malware is affecting your company: Get a DIA account today!
https://slam.securescience.com/signup.cgi - it's free!
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]