Verisign today announced that they will be inserting one time passwords into credit cards.
I think that this is generally a long awaited good idea since it will strengthen the authentication used for purchases used with credit cards. However, I take some exception to the statement in the Yahoo! News story that said "Security companies like VeriSign and EMC Corp.'s RSA Security Inc. have been promoting one-time passwords and other "two-factor" authentication systems to combat "phishing" and other scams aimed at tricking users into revealing sensitive data like passwords."
"By requiring a second code that is tied to a device or a card in the user's possession, an online account remains protected even if the regular password is compromised. If a customer loses the device or card, someone would still need to know the username and password to log on."
What one time passwords do is foil attempts by criminals to log on when using uid and passwords obtained from a Trojan malware keyboard logger. Strong authentication however does NOT prevent phishing attacks which are man in the middle attacks.
In a new paper I've just released "Myths about protecting your enterprise from phishing attacks", I explain that a man in the middle attack simply passes on the stronger authentication mechanisms. A recent example the paper mentions is the successful phishing attack on ABN Amro which used two factor authentication.
Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com
del.icio.us