Florian Weimer writes:
 | >>It would seem simple to thwart such a trojan with strong authentication
 | >>simply by requiring a second one-time passcode to validate the
 | >>transaction itself in addition to the session.
 | >>
 | >
 | > How does the user know which transaction is really being authenticated?
 | You send the pass code in an SMS to the user's mobile phone, together
 | with some information on the transaction.  (If the SMS delay is a
 | problem, use a computer-generated phone call.)  The pass code is then
 | entered by the user to authorize the transaction.

[ Disclaimer -- I advise this company ]

Take a look at Boojum Mobile -- it is
precisely the idea of using the cell
phone as an out-of-band chanel for an
in-band transaction.


[ Disclaimer -- I advise this company ]


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to