Posted by:
admin
17 years, 1 month ago
Kurt at anti-virus rants has a pair of posts, one on what is man-in-the-middle attack and a follow up on why tokens won't stop phishing, which lead me to an earlier post on why safe site indicators fail.
My comments:
- If the one-time passcodes are used to authentication transactions instead of sessions, they would stop phishing. Though it would be best to have both session and transaction authentication, especially for accounts that are difficult to analyze for fraudulent transactions such as commercial and brokerage accounts.
- Good host authentication will probably require software on the client side, but banks are very reluctant to distribute software. This gives an edge to the bad guys who have no problem with distributing software whatsoever.