On Tue, 26 May 2009, Eric Christensen wrote:
On Tue, May 26, 2009 at 15:13, Jeroen van Meeuwen <kanarip@xxxxxxxxxxx> wrote:
Although this is entirely true, my bank sure considers my phone safe enough
to send me one-time transaction confirmation codes that are only valid with
the existing session.
So, to hack this, you would need access to my phone as well as my current
session.
-Jeroen
I'm glad your bank considers your phone safe enough. But do you?
Your bank puts the security of your money in your hands which is fine
for them because it isn't their money.
Remember, messages going through the Internet to the phone company to
your phone isn't encrypted or otherwise protected.
Which is why it is 2-factor auth! You have to put bot the session key and
the password you know together in order to auth.
The bank is implicitly saying they don't trust the phone, nor do the trust
your password, but if you have both of them..... then they trust that.
-sv
_______________________________________________
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list