nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Phishing and BGP Blackholing

From: Florian Weimer <fw () deneb enyo de>
Date: Wed, 03 Jan 2007 15:35:30 +0100

* Neil J. McRae:


I didn't see the original post but the topic came
up in 2005 here in the UK as the banks here wanted to
use BGP filtering in the same light. The LINX prepared
a paper on the issues with BGP blackholing and recommended
that if the banks want to trade on the Internet that
they should introduce authentication systems that are fit
for purpose (SecureID for example (many banks had already
done this)).


Banks have deployed much more secure systems than SecureID, and there
have been successful attacks against them.

SecureID might be helpful if you want to differentiate your product
between automatic and manual use, but it doesn't do anything to
authenticate the party you are relaying information to.  But it's
useless in a phishing context.  If you want a token solution, at least
use something that factors in transaction-related data.
Previous By Date Next
Previous By Thread Next

Current thread: