Re: Phishers Defeat 2-Factor Auth
Lance James wrote: The site asks for your user name and password, as well as the token-generated key. If you visit the site and enter bogus information to test whether the site is legit -- a tactic used by some security-savvy people -- you might be fooled. That's because this site acts as the man in the middle -- it submits data provided by the user to the actual Citibusiness login site. If that data generates an error, so does the phishing site, thus making it look more real. So long as logins are registered and performed in a web page, rather than in the chrome, we are hosed. Creating a login, and logging into it, has to be a browser and email client function, not a web page function. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Phishers Defeat 2-Factor Auth
Lance James wrote: Full article at http: // blog.washingtonpost.com / securityfix / happen to mention more than a year ago ... that it would be subject to mitm-attacks ... recent comment on the subject http://www.garlic.com/~lynn/aadsm24.htm#33 Threatwatch - 2-factor tokens attacked by phishers. in thread in this mailing list more than year ago http://www.garlic.com/~lynn/aadsm19.htm#20 Citibank discloses private information to improve security http://www.garlic.com/~lynn/aadsm19.htm#21 Citibank discloses private information to improve security http://www.garlic.com/~lynn/aadsm19.htm#22 Citibank discloses private information to improve security http://www.garlic.com/~lynn/aadsm19.htm#23 Citibank discloses private information to improve security http://www.garlic.com/~lynn/aadsm19.htm#24 Citibank discloses private information to improve security ... and so on - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
RE: Phishers Defeat 2-Factor Auth
Yep, the phishers finally started doing it. If it becomes a threat to them, they will adapt. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Anne Lynn Wheeler Sent: Tuesday, July 11, 2006 10:39 AM To: cryptography@metzdowd.com Subject: Re: Phishers Defeat 2-Factor Auth Lance James wrote: Full article at http: // blog.washingtonpost.com / securityfix / happen to mention more than a year ago ... that it would be subject to mitm-attacks ... recent comment on the subject http://www.garlic.com/~lynn/aadsm24.htm#33 Threatwatch - 2-factor tokens attacked by phishers. in thread in this mailing list more than year ago http://www.garlic.com/~lynn/aadsm19.htm#20 Citibank discloses private information to improve security http://www.garlic.com/~lynn/aadsm19.htm#21 Citibank discloses private information to improve security http://www.garlic.com/~lynn/aadsm19.htm#22 Citibank discloses private information to improve security http://www.garlic.com/~lynn/aadsm19.htm#23 Citibank discloses private information to improve security http://www.garlic.com/~lynn/aadsm19.htm#24 Citibank discloses private information to improve security ... and so on - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
