You are here: Home → wikidblog → MITM attacks, tokens vs phishing and mutual authentication

Recent entries: Two-factor for the cloud admin Aug 15, 2008; Debunking "Two-Factor Authentication Debunked by TSB Phish" admin Jul 02, 2008; New Howtoforge article - Postgresql admin Jul 02, 2008; World of Warcraft gets two-factor authentication - your bank won't follow admin Jul 01, 2008; Podwójne uwierzytelnianie admin Jun 10, 2008

Recent comments: Re:Security and Oil admin Apr 25, 2008; Re:Security and Oil Paul feet Apr 24, 2008; Re:100% open source admin Apr 22, 2008; Re:100% open source Adam Apr 22, 2008; Re:Capital Gains Tax Rates and Entrepreneurs Lance Oct 23, 2007

2007/03/08

MITM attacks, tokens vs phishing and mutual authentication

Kurt at anti-virus rants has a pair of posts, one on what is man-in-the-middle attack and a follow up on why tokens won't stop phishing, which lead me to an earlier post on why safe site indicators fail.

My comments:

If the one-time passcodes are used to authentication transactions instead of sessions, they would stop phishing. Though it would be best to have both session and transaction authentication, especially for accounts that are difficult to analyze for fraudulent transactions such as commercial and brokerage accounts.
Good host authentication will probably require software on the client side, but banks are very reluctant to distribute software. This gives an edge to the bad guys who have no problem with distributing software whatsoever.