John Levine <jo...@iecc.com> writes: >Clever though this scheme is, man-in-the middle attacks make it no better >than a plain SSL login screen.
You don't even need a MITM, just replace the site image on your phishing site with either a broken- image picture or a message that your award-winning site-image software is being upgraded and will be back soon and it's rendered totally ineffective. Ref: "The Emperor's New Security Indicators", Stuart Schechter, Rachna Dhamija, Andy Ozment, and Ian Fischer. These things are as worthless as most of the other wish-it-was-two-factor authentication methods that US banks have deployed in reaction to the FFIEC guidance (in the case of Sitekey, it's the top-rated URL for the Prg malware, indicating that it presents no problem at all for the phishers). The best "two-factor" I've seen to date is the New Horizons Community Credit Union, whose idea of two-factor auth is "Oh, we got both kinds. We got user name *and* password". Peter. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com