levi at cold.org
Wed Mar 14 11:22:26 MDT 2007
Topher Fischer <javert42 at cs.byu.edu> writes:
> Since I've started working on this, I haven't used a login form that
> wasn't given to me over SSL. Luckily, everything I use has some sort of
> secure login form somewhere on their site. I've tried to find one for
> Zion's bank, and haven't been able to. Fortunately, I don't bank with them.
Zion's Bank uses one of those new-fangled multi-step logins. You
enter your user id on the front page, and then you are shown a picture
and asked a question (over a ssl connection) or, if you've previously
done this step and got a cookie, you're shown a picture and asked to
enter your password. Since only the user id is entered into the form
in the non-ssl page, it should be safe from your particular attack.
More information about the PLUG