ARP-spoofing defense

Levi Pearson levi at
Wed Mar 14 11:22:26 MDT 2007

Topher Fischer <javert42 at> writes:
> Since I've started working on this, I haven't used a login form that
> wasn't given to me over SSL.  Luckily, everything I use has some sort of
> secure login form somewhere on their site.  I've tried to find one for
> Zion's bank, and haven't been able to.  Fortunately, I don't bank with them.

Zion's Bank uses one of those new-fangled multi-step logins.  You
enter your user id on the front page, and then you are shown a picture
and asked a question (over a ssl connection) or, if you've previously
done this step and got a cookie, you're shown a picture and asked to
enter your password.  Since only the user id is entered into the form
in the non-ssl page, it should be safe from your particular attack.


More information about the PLUG mailing list