Hello Michael,
Interesting article, and well-written.
The technique you are proposing is very similar to assigning a RSA
SecureID to each of the banc customer. Except in this case the customer
doesn't hold the physical SecureID, instead he/she is sent the
auto-generated number.
One major problem of these kind of systems is that, they are dependent on
3rd party service being available whenever the customer wants to access
the banc. In this case the 3rd party service is the customer's personal
email provider, which may not be available all the time.
RSA SecureID has the same problem, i.e. what if the customer loses his/her
SecureID and is at a remote location where he/she can not physically go to
banc branch.
Thanks.
Saqib Ali
http://validate.sf.net
"Michael Silk" <michaels@phg.com.au>
No Phone Info Available
11/22/2004 07:40 PM
To
<webappsec@securityfocus.com>
cc
Subject
Article - A solution to phishing
Hi,
Just a quick little article about a login system that, should (i
think :)), prevent phishing attempts on your site.
http://michaelsilk.blogspot.com/2004/11/article-solution-to-phishing.htm
l
Have a look at it and let me know what you think ... and apologies
to anyone if an idea like this is already out there :)
-- Michael
**********************************************************************
This email message and accompanying data may contain information that is
confidential and/or subject to legal privilege. If you are not the
intended recipient, you are notified that any use, dissemination,
distribution or copying of this message or data is prohibited. If you have
received this email message in error, please notify us immediately and
erase all copies of this message and attachments.
This email is for your convenience only, you should not rely on any
information contained herein for contractual or legal purposes. You should
only rely on information and/or instructions in writing and on company
letterhead signed by authorised persons.
**********************************************************************
