Phishers Defeat 2-Factor Auth

2006-07-11 Thread Lance James
Full article at http: // blog.washingtonpost.com / securityfix / Citibank Phish Spoofs 2-Factor Authentication Security experts have long touted the need for financial Web sites to move beyond mere passwords and implement so-called two-factor authentication -- the second factor being something

Phishers Defeat 2-Factor Auth

2006-07-11 Thread Lance James
http://blog.washingtonpost.com/securityfix/2006/07/citibank_phish_spoofs_2fa ctor_1.html Thought this might interest some. -Lance James - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL

Re: NIST hash function design competition

2006-07-11 Thread James A. Donald
Hal Finney wrote: I had not heard that there had been an official decision to hold a new competition for hash functions similar to AES. That is very exciting! The AES process was one of the most interesting events to have occured in the last few years in our field. Seemed like one of the

Call for Papers for the 4th VirtualGoods Workshop in Leeds

2006-07-11 Thread Ed Gerck
C A L L F O R P A P E R S The 4th International Workshop for Technology, Economy and Legal Aspects of Virtual Goods Organized by the GI Working Group ECOM and in parallel with

Re: Factorization polynomially reducible to discrete log - known fact or not?

2006-07-11 Thread Ondrej Mikle
Charlie Kaufman wrote: I believe this has been known for a long time, though I have never seen the proof. I could imagine constructing one based on quadratic sieve. I believe that a proof that the discrete log problem is polynomially reducible to the factorization problem is much harder and

Interesting bit of a quote

2006-07-11 Thread leichter_jerrold
...from a round-table discussion on identity theft in the current Computerworld: IDGNS: What are the new threats that people aren't thinking about? CEO Dean Drako, Sana Security Inc.: There has been a market change over the last five-to-six years, primarily due to

switching from SHA-1 to Tiger ?

2006-07-11 Thread Zooko O'Whielacronx
Hal: Thanks for the news about the planned NIST-sponsored hash function competition. I'm glad to hear that it is in the works. Yesterday I profiled my on-line data backup application [1] and discovered that for certain operations one third of the time is spent in SHA-1. For that reason,

Re: Phishers Defeat 2-Factor Auth

2006-07-11 Thread Anne Lynn Wheeler
Lance James wrote: Full article at http: // blog.washingtonpost.com / securityfix / happen to mention more than a year ago ... that it would be subject to mitm-attacks ... recent comment on the subject http://www.garlic.com/~lynn/aadsm24.htm#33 Threatwatch - 2-factor tokens attacked by

RE: Phishers Defeat 2-Factor Auth

2006-07-11 Thread Lance James
Yep, the phishers finally started doing it. If it becomes a threat to them, they will adapt. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Anne Lynn Wheeler Sent: Tuesday, July 11, 2006 10:39 AM To: cryptography@metzdowd.com Subject: Re: Phishers

Re: Interesting bit of a quote

2006-07-11 Thread Adam Fields
On Tue, Jul 11, 2006 at 01:02:27PM -0400, Leichter, Jerry wrote: [...] Business ultimately depends on trust. There's some study out there - I don't recall a reference - that basically finds that the level of trust is directly related to the level of economic success of an economy. There are

Re: Interesting bit of a quote

2006-07-11 Thread dan
Jerrold, I can corroborate the quote in that much of SarbOx and other recent regs very nearly have a guilty unless proven innocent quality, that banks (especially) and others are called upon to prove a negative: X {could,did} not happen. California SB1386 roughly says the same thing: If you

Re: switching from SHA-1 to Tiger ?

2006-07-11 Thread Hal Finney
Zooko writes: By the way, the traditional practice of using a hash function as a component of a MAC should, in my humble opinion, be retired in favor of the Carter-Wegman alternative such as Poly-1305 AES [7]. This is a great topic where there are lots of pros and cons. The CW MACs like

Re: NIST hash function design competition

2006-07-11 Thread Hal Finney
James Donald writes: My understanding is that no actual vulnerabilities have been found in Rijndael. What has been found are reasons to suspect that vulnerabilities will be found. Yes, I think that's correct on the theoretical side. I was also thinking of some of the implementation issues