[FoRK] Poisoned DNS and informal certificates

Stephen D. Williams <sdw at lig.net> on Tue Feb 19 17:56:44 PST 2008 
BofA (Bank of America) has had the image verification for a while as a 
sort of "you won't look at our certificate so look at this image that 
you picked from our small set instead".  Not really that great, but 
something.

Now, they have added an out of band communication verification that, 
these days, isn't bad.  I've seen something like this before using home 
phones for location verification, but that was doomed coming as it did 
just before we all went VOIP...

BofA allows you to sign up for SMS verification.  For certain 
transactions, like adding a new payee, you are asking them to verify 
that it's really you by sending you an SMS verification code that you 
must then type in.  Out of band is one of the better solutions to the 
possibilities of man-in-the-middle attacks and insecure links in the 
chain (network, ISP, your Windows operating system, etc.).

sdw

silky wrote:
> On Feb 20, 2008 10:46 AM, Tom Higgins <tomhiggins at gmail.com> wrote:
>   
>> In a more perfect world bank access would be done via one time use pads.
>>     
>
> Accessing a bank is trivially solved with a "offline" contact model
> that you use. I once suggested that the bank would email you your "one
> time" password when you requested to log in. Then you just use that
> within a time period to get in; there is no chance of you being
> phished for information under that model, because you can't get any
> useful information out. The banks email would not display to you,
> even, the password, it would just generate a link which you click.
> Maybe you could, if prompted, copy that link into the MITM site; but
> it does sufficiently, I think, lower the minimum stupidity level
> required to be successfully phished .
>
>
>   
>> And yea, even then...and yea hte overhead of machinations..
>>
>> -tom(we need to go to a GP standard...whats the conversion to platnium
>> again?:)-)higgins
>>
>> _______________________________________________
>> FoRK mailing list
>> http://xent.com/mailman/listinfo/fork
>>     
>
>   


-- 
swilliams at hpti.com http://www.hpti.com Per: sdw at lig.net http://sdw.st
Stephen D. Williams 703-371-9362C 703-995-0407Fax 94043 AIM: sdw
More information about the FoRK mailing list