ARP-spoofing defense

Levi Pearson levi at cold.org
Wed Mar 14 11:22:26 MDT 2007


Topher Fischer <javert42 at cs.byu.edu> writes:
> Since I've started working on this, I haven't used a login form that
> wasn't given to me over SSL.  Luckily, everything I use has some sort of
> secure login form somewhere on their site.  I've tried to find one for
> Zion's bank, and haven't been able to.  Fortunately, I don't bank with them.

Zion's Bank uses one of those new-fangled multi-step logins.  You
enter your user id on the front page, and then you are shown a picture
and asked a question (over a ssl connection) or, if you've previously
done this step and got a cookie, you're shown a picture and asked to
enter your password.  Since only the user id is entered into the form
in the non-ssl page, it should be safe from your particular attack.

                --Levi





More information about the PLUG mailing list