Gettin’ spanked over two-factor
OK, so I’ve been getting some flak from my post the other day about two-factor authentication and phishing. Pete Lindstrom over at spire gives me the wagging finger on the issue, saying that just because there is one phishing site using two-factor, it still has value; Mike Rothman over at Security Incite sides with Pete, pointing out that there is a security benefit to two-factor and...
Read MoreI told you so – two factor does nothing for phishing.
Apparently, a phishing site has been found that allows phishers to take advantage of users even when two factor authentication is employed. Here’s what happens – you get an email telling you to follow a link to “your bank” (really a bogus site.) You connect to it and enter your two-factor authentication data. The site then opens a connection and uses your credentials to...
Read MoreCome on, say “two factor” again. I dare you. I double dare you.
Today, I saw a press release from Green Armor hyping that Six Credit Unions Choose Green Armor Solutions’ Identity Cues Two Factor for FFIEC and NCUA Compliant Two-Factor & Two-Way (Mutual) Authentication. Do I even need to say why this irritates me? You probably already know that it infuriates me when vendors use FFIEC guidance to try to sell product. Green Armor is in that camp...
Read MorePhishing Phoolishness
OK, you’ve all heard of phishing. New, and probably growing, is pharming, which seeks to use other means to send users to bogus websites. Quoting from the Register article’s advice on how to mitigate the problem, this stands out: “Banking sites could adopt two-factor authentication as a comprehensive defence.” And it’s not just el reg saying this either: Microsoft...
Read More\-\4x0r1|\|g 7h3 p|-|1Sh0rzzzz
How much do I love this? Phishers getting trounced by defacing groups; all in all, I think it’s probably less about defacers turning away from the “dark side” as giving them a ripe target on the open Internet that they can’t get busted for defacing and that will get them media attention. Unlike the reporter covering this, I think this activity is likely to increase given...
Read MoreHow not to stop phishing…
TriCipher put out a press release today saying that they prevent phishing. I’m not sure that these people are really clued into reality. Why do I say this? Here are a few reasons: 1) Saying Eric Greenberg is the “one of the developers of the SSL protocol” is an interesting turn of phrase. Quoting Eric himself, he was “Group Security Product Manager for Netscape, where...
Read MoreSpammer Sophistication
Citibank and their customers are the latest victims of a spam/redirection attack. In the past the email subject, mispellings in the email, and link URLs have been dead giveaways that the email is fraudulent. But recent spams have become more sophisticated in an ongoing effort to trick users into parting with their account and password information. It’s becoming harder for users to discern...
Read MoreLook before you Click
An IDG News Article at NW fusion reports: Fake bank Web site scam reaches U.S. This one targeting Bank of America customers. Though it could have been any bank. Take a look at the URL of a site before entering personal information. It’s not a foolproof protection, but it’s a great place to start.
Read MoreFriday September 10, 2010
Diana Kelley's profile