| | | | | | | | | | | | | | | | | | | |

What about Keystroke Dynamics (Rhythm)? This seems to be a viable option that ties in what you are with what you know as a second factor. Consider script kiddies, phishing, social engineering all go away since the rhythm of a typer can't be duplicated. The FAR is the same of biometric devices.

[older news = | | | | | | | | | ]

Ressources:[sdb] -  | [ro] -   [uc] -  | [iorr] -   [ggl] -  | [hw] -

And here's Roll Over Beethoven from October 1963 - enjoy!

In any case, the phone-text second channel pretty much requires that the attacker be in the vicinity of the victim, to evesdrop or spoof*. This reduces the number of possible attackers by many orders of magnitude, and greatly increases their risk of being caught. This should be enough to keep the bank accounts of ordinary people secure.

What the hell - let the guys have fun.

If they have to type in a PIN from the text into the computer, it becomes harder. Not only do we have to intercept the text (stolen or spoofed phone, or evesdrop if communication is unencrypted) but we have to relay this information to our trojan in a timely manner for it to pass on to the bank.

= Interested in the lightning technics used during the last Stones tours? Well, have a look at !

Posted by on September 4, 2016 at 6:30pm

In the end I think it comes back to the stance that Bruce is taking wrt two factor authentication. Which as I understand it, is that in the face of the specific attacks he mentions, active Man-in-the-Middle attacks (works by user not verifying server) and active Trojan attacks (works by user installing bad code), two factor authentication doesn't provide a lot of additional value. With this I would have to agree.

Posted by on December 18, 2017 at 9:08pm

What you are suggesting is exactly what ABN-Amro in holland is using. I think it is fool proof with regards that nobody can wire money to an account that I have not given authorisation for. Viewing my private information like saldo etc. is a different Story.

As long as this is part of the key, the key will have its faults.

However, one has to take into consideration the "work factor" of moving from passive attacks to active attacks. I think that two factor authentication is a great technology that will overall increase security by "raising the bar", forcing the attacks to get much more sophisticated (which will tend to filter out all but the most determined attackers).

What the hell else are they going to do? When the demand stops, they’ll stop perhaps.

Defend Against Email Viruses All at No Cost to You!

This is a great cautionary tale on the need for defense in depth. There are many ways to break into a system and you can't just watch one of the doors to the castle. I still would argue that two-factor is not useless since guessing/stealing passwords is rampant. Either by eavesdropping or stealing a hashed password database and brute-forcing the passwords. This is particularly damaging since users tend to re-use the same passwords over and over again on multiple sites. Having a second factor greatly reduces the likelihood that this type of break-in will succeed. I have blogged about this .


Posted by on January 28, 2018 at 5:38am

For years, I've been quietly observing and sometimes commenting (by way of casual conversation) on the changing face of technology and the progress of Information Security and the computing industry (or lack thereof.)

Publishing and video are a little further back but following the same track.

Posted by on January 6, 2018 at 9:11pm

He also proposes that in general, attacks are moving from passive (time shifted) methods to active (real time) methods, which is what makes them especially effective against two factor authentication. Again I would have to agree.