struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Paweł Wielgus <>
Subject Re: Avoid Phishing in Struts Applications plugin
Date Tue, 07 Sep 2010 14:12:01 GMT
Hi all,
one of the banks i use, uses standard login and password to log on,
but after login, when one want to transfer money or do any cash
related operation
one need to provide a special token from your secret list or from
hardware token.
That way stealing my login and password won't do much for a thief.
So any phising that will collect my login and password
will not succed in transfering money from my account.
Combine this with a pesonal picture uploaded by bank to my profile
(like on credit cards)
and You have pretty strong system that any user will understand.
Of course when some one will do "man in the middle"
no defense can be applied at all.

Best greetings,
Paweł Wielgus.

2010/9/6 Oscar <>:
> Ok, i got it. Thanks so much for the info.
> 2010/9/6 Dale Newfield <>
>> Examples of why SiteKey really isn't sufficient:
>> (As well as the fact that it's possible for a phishing site to use the same
>> provided ID to ask the real site what sitekey should be shown to the end
>> user, effectively a man-in-the-middle attack, illustrated at
>> )
>> Some other company's solution that appears to involve users having to store
>> a keyfile on their machine, but it seems that would make it impossible to
>> log into the site from a random machine (or a mobile device like the iphone
>> that doesn't have an available filestore), and I don't see what prevents
>> those users from being duped into providing that keyfile to a phisher.
>> It's a hard problem, and it mostly happens *outside* your app, so good luck
>> solving it within your app. :-(
>> -Dale
> --
> Oscar Calderón
> SCJP 6  <>

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message