Florian Weimer writes: | | >>It would seem simple to thwart such a trojan with strong authentication | >>simply by requiring a second one-time passcode to validate the | >>transaction itself in addition to the session. | >> | > | > How does the user know which transaction is really being authenticated? | | You send the pass code in an SMS to the user's mobile phone, together | with some information on the transaction. (If the SMS delay is a | problem, use a computer-generated phone call.) The pass code is then | entered by the user to authorize the transaction.
[ Disclaimer -- I advise this company ] Take a look at Boojum Mobile -- it is precisely the idea of using the cell phone as an out-of-band chanel for an in-band transaction. http://www.boojummobile.com [ Disclaimer -- I advise this company ] --dan --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]