WebApp Sec mailing list archives
Re: Article - A solution to phishing
From: Saqib Ali <docbook.xml () gmail com>
Date: Thu, 14 Jul 2005 11:38:27 -0700
How is this better than a graphic of a piece of distorted text ?
how can a piece of distorted text authenticate a website???
A non technical user won't know this ACuTrust thing from an animated GIF.
Actually an animated GIF will be timing based, and not controlled by what is entered in the password field. i.e. with animated GIF will seem to decrypt even if the user types in wrong passphrase. Which should make the user a little bit suspicious :) Acutrust is a great technology for tackling the phishing problem. But it has the problem of the MIM attack. Attacker can create a webpage that acts as proxy between the acutrust protected site, and the user's desktop. This way the attacker can capture the user's password, without the user knowing. The user will still see the decrypted token, as he/she enters the password. For e.g. see below: http://www.xml-dev.com/xml/phishing/acutrust.html passphrase: password try 'password' as the passphrase, and the token will still decrypt. and the user can not tell that they are at a phishing site. -- In Peace, Saqib Ali http://www.xml-dev.com/blog/
Current thread:
- Re: Re: Article - A solution to phishing jcjhilvfgvqcf (Jul 14)
- Re: Article - A solution to phishing Thomas Chiverton (Jul 14)
- Re: Article - A solution to phishing Saqib Ali (Jul 14)
- Re: Article - A solution to phishing Frank O'Dwyer (Jul 14)
- Re: Re: Article - A solution to phishing bluewizard83-de4gahsh (Jul 14)
- Re: Re: Article - A solution to phishing RSnake (Jul 14)
- Re: Re: Article - A solution to phishing RSnake (Jul 18)
- Re: @CHECK Re: Re: Article - A solution to phishing Dennis W. Kennedy (Jul 18)
- Re: Re: Article - A solution to phishing RSnake (Jul 18)
- <Possible follow-ups>
- Re: Article - A solution to phishing mike (Jul 14)
- RE: Re: Article - A solution to phishing Simon Zuckerbraun (Jul 14)
- RE: Re: Article - A solution to phishing Leandro Meiners (Jul 15)
- Re: Article - A solution to phishing Thomas Chiverton (Jul 14)