[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [WEB SECURITY] Phishing attacks circumventing two-factor auth

From: "Brian Eaton" <eaton.lists@xxxxxxxxx>
Subject: Re: [WEB SECURITY] Phishing attacks circumventing two-factor auth
Date: Mon, 10 Jul 2006 19:40:39 -0400

On 7/10/06, dpw <dainw@xxxxxxx> wrote:

For any mission critical applications, lately I have been using a
server-side generated "magic hash" key that I generate when the form is
loaded, and which gets posted along with my forms.


That's not a bad idea, but it wouldn't have helped here.  This sounds
like classic MITM.

The two-factor authentication solution should reduce the damage from
this attack.  The phishers probably made some cash from this scam, but
once the site was taken down the game was over.  They shouldn't be
able to use the stolen passwords without the tokens to go along with
them.

Regards,
Brian

---------------------------------------------------------------------------- The Web Security Mailing List: http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/archive/ http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Follow-Ups:
- RE: [WEB SECURITY] Phishing attacks circumventing two-factor auth
  - From: dpw

References:
- [WEB SECURITY] Phishing attacks circumventing two-factor auth
  - From: Jeremiah Grossman
- RE: [WEB SECURITY] Phishing attacks circumventing two-factor auth
  - From: dpw

Prev by Date: RE: [WEB SECURITY] Phishing attacks circumventing two-factor auth
Next by Date: RE: [WEB SECURITY] Phishing attacks circumventing two-factor auth
Previous by thread: RE: [WEB SECURITY] Phishing attacks circumventing two-factor auth
Next by thread: RE: [WEB SECURITY] Phishing attacks circumventing two-factor auth
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site