Re: Article - A solution to phishing

[focus () karsites net]

Maybe it is feasable to offer users different levels of
security for loggin in.

If it is going to be a one-off hi-value financial
transaction, then allow the user a higher level of security
for logging into a site, to complete that transaction.
Otherwise, just use the standard logging in methods of
username and password.

Alternatively, why not use two passwords, and a username.

My online bank uses a system of picking random numbers from
my password, and asking me to match those numbers with a
drop down box, instead of just typing in the exact password
in the same format at each login.

Regards - Keith Roberts


http://www.karsites.net/

On Fri, 26 Nov 2004, Paul Johnston wrote:

> To: Michael Silk <michaels () phg com au>
> From: Paul Johnston <paul () westpoint ltd uk>
> Subject: Re: Article - A solution to phishing
>
> Hi Michael,
>
> Interesting idea. Not unlike the way credit card companies will
> sometimes phone you before authorizing a large transaction (never
> happened to me, but they claim they do it). I think this is good as
> supplemental authentication, but the delay waiting for the email and
> such probably make it unsuitible as the main authentication technique.
> In addition, if it is the ONLY authentication technique, then compromise
> of the email account means compromise of all accounts using this
> authentication.
>
> Perhaps an interesting variation would be to SMS a pass code to a mobile
> phone.
>
> In fact, PayPal do something which is kind of similar. When you join,
> they bill your card the membership fee, and put a random code in the
> originator's reference. When you receive your bill and supply this
> reference back to PayPal, your account is upgraded to "verified" status.
> Very sensible precaution.
>
> Regards,
>
> Paul
>
> Michael Silk wrote:
>
> > Hi,
> >
> >    Just a quick little article about a login system that, should (i
> > think :)), prevent phishing attempts on your site.
> >
> >
> > http://michaelsilk.blogspot.com/2004/11/article-solution-to-phishing.htm
> > l
> >
> >    Have a look at it and let me know what you think ... and apologies
> > to anyone if an idea like this is already out there :)
> >
> > -- Michael
> >
> >
> > **********************************************************************
> > This email message and accompanying data may contain information that is confidential and/or subject to legal 
> > privilege. If you are not the intended recipient, you are notified that any use, dissemination, distribution or 
> > copying of this message or data is prohibited. If you have received this email message in error, please notify us 
> > immediately and erase all copies of this message and attachments.
> >
> > This email is for your convenience only, you should not rely on any information contained herein for contractual or 
> > legal purposes. You should only rely on information and/or instructions in writing and on company letterhead signed 
> > by authorised persons.
> > **********************************************************************
>
> --
> Paul Johnston
> Internet Security Specialist
> Westpoint Limited
> Albion Wharf, 19 Albion Street,
> Manchester, M1 5LN
> England
> Tel: +44 (0)161 237 1028
> Fax: +44 (0)161 237 1031
> email: paul () westpoint ltd uk
> web: www.westpoint.ltd.uk