more on SSL/false security

["Dave Farber" <dave () farber net>]

-----Original Message-----
From: Strata R Chalup [mailto:strata () virtual net] 
Sent: Friday, August 10, 2007 6:14 AM
To: dave () farber net
Subject: more on SSL/false security


http://paranoia.dubfire.net/2007/04/deceit-augmented-man-in-middle-attack.ht
ml
is a great writeup on two-phase authentication systems and man in the middle
attacks, using a real exploit on Bank of America's SiteKey(tm) system as an
example.  Note that a proxyed MitM attack can simply exploit the user's own
security questions to bypass the 'secure' vendor cookie that supposedly
prevents such attacks.

Note that the institutions using these systems often don't consider the
impact of their own policies on site improvement.  I had to spend some of my
bank's tech support money to prove to myself that I hadn't been phished when
they suddenly, without any notice to customers, "improved" the online UI.
Log in, see a different interface that resembles the old one but is clearly
different.  The truly sad thing is that their tech support mentioned that
they hadn't gotten many calls about this-- in a tone that implied "Why are
you even asking?"

O Brave New World, that has such *cough* whatever in it.

best regards,
Strata R Chalup
CEO, founder Virtual.Net Inc

*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*
* Artist, Gardener, Engineer, Slacker, Bodhisattva  *
* Strategic IT Consulting   |  strata () virtual net *
*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*


-------------------------------------------
Archives: http://v2.listbox.com/member/archive/247/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/247/
Powered by Listbox: http://www.listbox.com