AOL Help : About AOL® PassCode

[Ian G]

Joerg Schneider wrote:

> So, PassCode and similar forms of authentication help against the 
> current crop of phishing attacks, but that is likely to change if 
> PassCode gets used more widely and/or protects something of interest 
> to phishers.
>
> Actually I have been waiting for phishing with MITM to appear for some 
> time (I haven't any yet ...


By this you mean a dynamic, immediate MITM where
the attacker proxies through to the website in real
time?

Just as a point of terms clarification, I would say that
if the attacker collects all the information by using
a copy of the site, and then logs in later at leisure
to the real site, that's an MITM.

(If he were to use that information elsewhere, so for
example creating a new credit arrangement at another
bank, then that technically wouldn't be an MITM.)

Perhaps we need a name for this:  real time MITM
versus delayed time MITM?  Batch time MITM?


> Assuming that MITM phishing will begin to show up and agreeing that 
> PassCode over SSL is not the solution - what can be done to counter 
> those attacks?


The user+client has to authenticate the server.  Everything
that I've seen over the last two years seems to fall into
that one bucket.

> Mutual authentication + establishment of a secure channel should do 
> the trick. SSL with client authentication comes to my mind...


Maybe.  But that only addresses the MITM, not the
theft of user information.

-- 
News and views on what matters in finance+crypto:
        http://financialcryptography.com/