"Usage once" is not an effeective measure against mitm attacks, as has been discussed earlier in this thread. Give user error message, while executing txn of attacker's choice on the victim site with the legitimate user's authority.
How do disputed transactions get resovled in this supposedly more secure framework since 'the authenticaiton is infallible' (marketing speak)? Lyal -----Original Message----- From: deepquest [mailto:[EMAIL PROTECTED] Sent: Friday, 2 December 2005 9:44 AM To: Lyal Collins Cc: [EMAIL PROTECTED]; 'Full-Disclosure' Subject: Re: [Full-disclosure] Most common keystroke loggers? > In 1996, this virtual keypad concept was broken by taking 10x10 > pixel images > under the cursor click, showing the number/letters used in that > password. > > Virtual keypads are just a minor change of tactics, not a long term > resolution to this risk, imho. I agree but what about the second random password and challenge authentification? Both should be unique and usage once. -D _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
