Hi hackers<p>I have been wondering about how to avoid the actually man in the Middle, not just a person who sniff your connection, but where another person/machine sends your information throgh to the real site REALTIME and are then able to ude your account.<p>Here in Denmark we have a paper keycard, that we have to use every time we log on to our bank account. You first write your username and password and the server responds with a number. That number you have to lookup on you card and respond back with the answer.<p>The problems is that some evil hackers has sit on the same time and just made the user think they were login in successful, but the hacker used their in info to login to the bank. The hacker now gets the question for the keycode, but do not have it. The hacker now ask the user who thinks that he has logged in successful, and then give the hacker the CORRECT keycode the hacker need, SUCCESS hack for the evil hacker.<p>All he has to do is to send a lot of spam and get people to fake websites who look like real websites and the hacker wins. The user do not think it is a problem because: "i have a keycard, nobody can hack me". That is a BIG problem.<p>I have thougt of a solution:<p>You could make the machine count secounds, because the hacker has to use the double time that it would normally takes to talk with the real server. That way you could tell the user, when the maybe have been comprimised, but what if the user has a slow internet connection.<p>You can not just say, make a program instead of using the browser, because a lot of time the user who is abused has already been infected by malware and spyware.<p>It does not help using SMS as a 2-factor because the hacker can still sit in the middle and log in for the user and the user will get the right SMS and send the code to the hacker.<p>How can we either educated our users to look for certain things like actually respond time or make a solution which do not make it possible for a hacker to do such an attack?<p>I ask this because several people in denmark have been hacked this way after what the Danish goverment promised to be unbreakable. Everything can be hacked in some ways, but the problem is the users thinks the can't and therefore act more stupid and freely, than before when people were told they would die if the told anybody.<p>Best regards from Denmark
Kevin Simper
Offtopic, but the Denmark 'paper keycard' is an incredibly ass-backwards system.<p>All our customers from Denmark have to use their card to use our software, and I can't believe something like this exists in 2012, or ever, really.