ARP-spoofing defense

Von Fugal von at fugal.net
Sun Mar 18 17:53:28 MDT 2007


* Levi Pearson [Wed, 14 Mar 2007 at 11:22 -0600]
<quote>
> Topher Fischer <javert42 at cs.byu.edu> writes:
> > Since I've started working on this, I haven't used a login form that
> > wasn't given to me over SSL.  Luckily, everything I use has some sort of
> > secure login form somewhere on their site.  I've tried to find one for
> > Zion's bank, and haven't been able to.  Fortunately, I don't bank with them.
> 
> Zion's Bank uses one of those new-fangled multi-step logins.  You
> enter your user id on the front page, and then you are shown a picture
> and asked a question (over a ssl connection) or, if you've previously
> done this step and got a cookie, you're shown a picture and asked to
> enter your password.  Since only the user id is entered into the form
> in the non-ssl page, it should be safe from your particular attack.
> 
>                 --Levi

Unfortunately, with Zions, at least as far as I've seen, the "username"
that they use is your SSN. On top of that, what I really don't get is
why if you try to put https in front of the home page it just fails to
load at all. I called once about this but lost patience when the
bonehead on the phone just insisted that "the password page is secure".
Oh well.

Von Fugal
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://plug.org/pipermail/plug/attachments/20070318/24091331/attachment.bin 


More information about the PLUG mailing list