Tokens and Phishing
Second factor authentication tokens are literally my least favorite topic, and unfortunately one of the mailing lists I’m on is just getting overrun by innane conversation about it, from people who have only rolled it out in IT settings (not for consumers).
But the point of this post wasn’t to rant, so much as quote someone from Slashdot about a year ago. Forgive me because I can’t find the source, but the jist of it was, “Hello, we are your bank. Your token has expired. Please mail us your username, your password and your token so that we can insure that it gets replaced.”
It doesn’t matter how smart you are, I can come up with a better idiot who will fall for identity theft. Case in point:
Can we stop talking about this now? You can’t save your users from stupidity by asking them to adopt security. They’ll find a better way to bypass your security with their ignorance. Trust me!
June 30th, 2006 at 7:31 pm
Hello,
We eventually will use tokens in our ‘Big Bank’ as a measure of ‘high security’. There is another quote I like to refer to when dealing with security as related to mass consumers. “Artificial Intelligence is no match for natural stupidity.”. Not sure who said it, but is should be emblazoned across all developers desks and laptops.
The sad part is people assume the old ways are safer, doing business in person, or calling on the phone. Worse yet, architects rely on these other avenues of ’security’, assuming it is another entities job.
Hope you get the form working above - would like to know if my data is safe :->
Jon {head.hacker} Lucenius
June 21st, 2008 at 11:22 pm
Tokens are worthless. Phishers use a man in the middle attack in which they ask the user to enter username, password, AND the token number. They take that information and feed it into the bank website in real time.