Full Disclosure mailing list archives
Re: Request for comments: anti-phishing storefront approach
From: Dan Margolis <dmargoli+lists () af0 net>
Date: Fri, 3 Jun 2005 23:33:30 -0700
On Fri, Jun 03, 2005 at 07:37:28PM -0400, Doug Ross wrote:
Given the recent PR regarding Bank of America's SiteKey (which seems to me to be susceptible to MIM attacks), I'd appreciate any feedback on this anti-phishing approach: http://directorblue.blogspot.com/2005/06/making-phishers-solve-captcha-problem.html
Your example includes the notion of a CAPTCHA-style warning image that says "...If any of the three items aren't true or don't look right, DON'T SIGN IN." Couldn't one just as easily--and just as falsely--expect customers to obey a warning that says "If you don't see a valid SSL 'lock' icon in your browser window, DON'T SIGN IN?" Both cases are essentially identical, only the former requires more work by me to verify--I have no idea what the last check number I wrote was, and depending on my ISP, it's likely that I'll appear to be connecting from some place 300 miles from my current location, yet with verifying SSL, all I have to do is check to see if a little icon is up in the window. As you say Bank of America needs to use SSL on their login page. But if you're talking about training users--and that's necessary, because otherwise, phishers can just remove the warning reminder bit from their fake login pages--you may as well just train them to look for valid SSL certs. On a side note, I have to wonder how much of this appears to be magic to the ordinary user, to the extent that you could make all sorts of statements in the name of security and the user would buy it. For instance, a phisher could put a fake Verisign button on his site that, when clicked, does something different than the real Verisign ones do. Or, better yet, a box that says "If the above image does not read 'AUTHENTIC,' do not sign in." Users would assume that some sort of verification were going on. Never mind the mechanism. -- Dan _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Request for comments: anti-phishing storefront approach Doug Ross (Jun 03)
- Re: Request for comments: anti-phishing storefront approach Dan Margolis (Jun 03)
- Re: Request for comments: anti-phishing storefrontapproach Mike N (Jun 04)
- Re: Request for comments: anti-phishing storefrontapproach Mike N (Jun 04)
- Re: Request for comments: anti-phishing storefront approach Dan Margolis (Jun 03)