AOL Help : About AOL® PassCode

Ian G iang at
Thu Jan 6 05:10:31 PST 2005

Joerg Schneider wrote:

> So, PassCode and similar forms of authentication help against the 
> current crop of phishing attacks, but that is likely to change if 
> PassCode gets used more widely and/or protects something of interest 
> to phishers.
> Actually I have been waiting for phishing with MITM to appear for some 
> time (I haven't any yet ...

By this you mean a dynamic, immediate MITM where
the attacker proxies through to the website in real

Just as a point of terms clarification, I would say that
if the attacker collects all the information by using
a copy of the site, and then logs in later at leisure
to the real site, that's an MITM.

(If he were to use that information elsewhere, so for
example creating a new credit arrangement at another
bank, then that technically wouldn't be an MITM.)

Perhaps we need a name for this:  real time MITM
versus delayed time MITM?  Batch time MITM?

> Assuming that MITM phishing will begin to show up and agreeing that 
> PassCode over SSL is not the solution - what can be done to counter 
> those attacks?

The user+client has to authenticate the server.  Everything
that I've seen over the last two years seems to fall into
that one bucket.

> Mutual authentication + establishment of a secure channel should do 
> the trick. SSL with client authentication comes to my mind...

Maybe.  But that only addresses the MITM, not the
theft of user information.

News and views on what matters in finance+crypto:

More information about the cypherpunks-legacy mailing list