funsec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Re[2]: The end of Phishing in sight?

From: "Douglas F. Calvert" <douglasfcalvert () gmail com>
Date: Mon, 17 Oct 2005 18:59:26 -0400
With MITM being the magic bullet, I don't doubt it could work in some
cases. But targeting a ssl web site where the customer has safely gone
before, carrying an MITM on the login, executing an operation and
convincing the customer to sign for it (for example by substituting
another operation) and relying on the customer who is logged not
seeing that the pending operation isn't the one he signed for is
really much more involved than stealing a login. I am sure
implementations will differ and some of them will be better than
others though.


Phishing would not be an issue if customers always went to "a ssl web
site where the customer has safely gone before." The problem is that
when customers get a phishing email now they will think they are safe
since their bank sent them this fancy thing that goes on their
keychain. MitM is not a "magic bullet" it is the obvious attack based
on the standard phishin MO...

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
Previous By Date Next
Previous By Thread Next

Current thread: