Re: [Full-disclosure] simple phishing fix



On Tue, July 29, 2008 2:31 pm, Glenn.Everhart@xxxxxxxxx wrote:
You might eliminate phishing but there are occasionally messages from
people at these institutions also. This sort of thing is in essence
allowing phishers a denial of service attack against anyone they choose
to make themselves a nuisance with.

I am not well pleased with any bank authentication I have seen so far
personally; seems to me finance-related messages should be authenticated
both ways and preferably a confirming authentication to demonstrate the
subject agrees with the transaction should be done before such are
accepted. That kind of thing would be hard to spoof and if done right
pretty useless to someone who could record entire transactions.

As for email, judge by its content. This posting for example will do
nothing to your money, sells you nothing. Nor does it ask any information
of you. If it were spoofed it would be harmless.

Glenn Everhart


But it is from Chase.... and nothing good comes from Chase ;-)


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



Relevant Pages

  • [Full-disclosure] Re: Most common keystroke loggers?
    ... it would deny the authentication. ... That's true, as long as the first time you entered the OTP, it ... The user sets up a transaction with mouse & keyboard, submits this, ... the trusted device to generate a signed confirmation or refusal of the ...
    (Full-Disclosure)
  • Re: Passwords for bank sites - change or not?
    ... part of the issue is that static data authentication are vulnerable to ... there is issue with just straight-forward hardware token interface. ... and 3) the display interface (for transaction ... infrastructure has overloaded the account number ... ...
    (alt.computer.security)
  • Re: PGP Lame question
    ... > authentication that the keysigner composed the message ... > which can be minimized if the original receiver has this planned out ... financial transaction ... ... one of the scenarios was the client originating a x9.59 ...
    (sci.crypt)
  • Re: public key password authentication
    ... http://www.garlic.com/~lynn/2007i.html#63 public key password authentication ... was to have the digital signature applied to the transaction ... ... supplying both integrity and authentication on the transaction ... ...
    (sci.crypt)
  • Re: How do Large Scale Web Service Applications Maintain Session State?
    ... application implements application defined authentication. ... transaction absolutely stateless, ... user profiles which define what a particular user can and cannot do. ... absolute statelessness on the Server would require us to check the ...
    (microsoft.public.dotnet.framework.webservices)