* Steven M. Bellovin: > Again -- the scheme isn't foolproof, but it's probably *good enough*.
I agree that if you consider this scheme in isolation, it's better than plain user names and passwords. But I wonder if it significantly increases customer confusion because banks told their customer that they won't *ask* for credentials via email, but now a bank is *sending* them by email. > As for keystroke loggers -- the bad guy would have to capture enough table > entries that they'd have a reasonable probability of seeing challenges > they'd already received. If this technology enters the attacker's radar screen, the "keystroke logger" would be changed to scan mail folders for the message sent by the bank. Or it would alter the login page to display an empty matrix, without any further explanations. 8-/ --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
