Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Most common keystroke loggers?

From: Rodrigo Barbosa <rodrigob () suespammers org>
Date: Fri, 2 Dec 2005 16:03:53 -0200
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Fri, Dec 02, 2005 at 11:35:16AM -0600, Frank Knobbe wrote:

At the end of the day, one-time-passwords for login *and* transactions
are probably the only real solution to prevent replay and mitm attacks
(the latter using OTP hashed transactions).


Actually, there is always the possibility of out-of-band authentication.

Here is a scenary I've encountered before:

1) You get to the login screen
2) The login screen will give you a code
3) You get the phone, dial a number, and enter the code
   provided, along with some other information
4) The system authenticates you out of band
5) You simply click "continue" on the login screen

There are other possible scenaries, of course, but this is just
one I've seen once.

[]s

- -- 
Rodrigo Barbosa <rodrigob () suespammers org>
"Quid quid Latine dictum sit, altum viditur"
"Be excellent to each other ..." - Bill & Ted (Wyld Stallyns)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDkIyJpdyWzQ5b5ckRAh9lAJsF6pCRCYI1E0U5cxF/BHeV+Kou4ACgt6jd
JfyyCsb8IkYYOrFMX2PVw/o=
=RgHh
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: