WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Article - A solution to phishing

From: "Damhuis Anton" <DamhuisA () aforbes co za>
Date: Fri, 26 Nov 2004 10:33:30 +0200

Hi Michael.

I read the article, and was quite interesting.

Scenario:
Email is used as Login.

The biggest problem to me would be that if the mail is intercepted, by a 3rd party with in the 15 minutes they have all 
the details to log in.

Scenario:
A PIN number is used as Login

This would be a lot better. Since the 3rd party can see a password, when intercepting the email, but has no idea for 
which PIN number it can be used.

Therefore the information sent to the users email is still save even in the short period.

(Unless maybe the 3rd party is sniffing the HTTP and SMTP traffic).

Our Rule of thumb is:
One should never send all the details in an email that a person can use to log in.

Regards
  Anton

-----Original Message-----
From: Michael Silk [mailto:michaels () phg com au]
Sent: 23 November 2004 05:41
To: webappsec () securityfocus com
Subject: Article - A solution to phishing


Hi,

    Just a quick little article about a login system that, should (i
think :)), prevent phishing attempts on your site.


http://michaelsilk.blogspot.com/2004/11/article-solution-to-phishing.htm
l

    Have a look at it and let me know what you think ... and apologies
to anyone if an idea like this is already out there :)

-- Michael

Confidentiality Warning
=======================
The contents of this e-mail and any accompanying documentation
are confidential and any use thereof, in what ever form, by anyone
other than the addressee is strictly prohibited.
Previous By Date Next
Previous By Thread Next

Current thread: