WebApp Sec mailing list archives
RE: Article - A solution to phishing
From: "Mark Curphey" <mark () curphey com>
Date: Sat, 27 Nov 2004 16:35:58 -0500
<snip> My online bank uses a system of picking random numbers from my password, and asking me to match those numbers with a drop down box, instead of just typing in the exact password in the same format at each login.</snip> Can you describe this in detail? Without the details one might think this just reduces the amount of entropy an attacker has to guess so is a bad thing. -----Original Message----- From: focus () karsites net [mailto:focus () karsites net] Sent: Saturday, November 27, 2004 4:12 AM To: webappsec () securityfocus com Subject: Re: Article - A solution to phishing Maybe it is feasable to offer users different levels of security for loggin in. If it is going to be a one-off hi-value financial transaction, then allow the user a higher level of security for logging into a site, to complete that transaction. Otherwise, just use the standard logging in methods of username and password. Alternatively, why not use two passwords, and a username. My online bank uses a system of picking random numbers from my password, and asking me to match those numbers with a drop down box, instead of just typing in the exact password in the same format at each login. Regards - Keith Roberts http://www.karsites.net/ On Fri, 26 Nov 2004, Paul Johnston wrote:
To: Michael Silk <michaels () phg com au> From: Paul Johnston <paul () westpoint ltd uk> Subject: Re: Article - A solution to phishing Hi Michael, Interesting idea. Not unlike the way credit card companies will sometimes phone you before authorizing a large transaction (never happened to me, but they claim they do it). I think this is good as supplemental authentication, but the delay waiting for the email and such probably make it unsuitible as the main authentication technique. In addition, if it is the ONLY authentication technique, then compromise of the email account means compromise of all accounts using this authentication. Perhaps an interesting variation would be to SMS a pass code to a mobile phone. In fact, PayPal do something which is kind of similar. When you join, they bill your card the membership fee, and put a random code in the originator's reference. When you receive your bill and supply this reference back to PayPal, your account is upgraded to "verified" status. Very sensible precaution. Regards, Paul Michael Silk wrote:Hi, Just a quick little article about a login system that, should (i think :)), prevent phishing attempts on your site. http://michaelsilk.blogspot.com/2004/11/article-solution-to-phishing. htm l Have a look at it and let me know what you think ... and apologies to anyone if an idea like this is already out there :) -- Michael ********************************************************************* * This email message and accompanying data may contain information that is confidential and/or subject to legal privilege. If you are not
the intended recipient, you are notified that any use, dissemination, distribution or copying of this message or data is prohibited. If you have received this email message in error, please notify us immediately and erase all copies of this message and attachments.
This email is for your convenience only, you should not rely on any
information contained herein for contractual or legal purposes. You should only rely on information and/or instructions in writing and on company letterhead signed by authorised persons.
********************************************************************* *-- Paul Johnston Internet Security Specialist Westpoint Limited Albion Wharf, 19 Albion Street, Manchester, M1 5LN England Tel: +44 (0)161 237 1028 Fax: +44 (0)161 237 1031 email: paul () westpoint ltd uk web: www.westpoint.ltd.uk
Current thread:
- Re: Article - A solution to phishing, (continued)
- Re: Article - A solution to phishing Rogan Dawes (Dec 03)
- Message not available
- Re: Article - A solution to phishing Michael Silk (Dec 14)
- Re: Article - A solution to phishing Adam Tuliper (Dec 15)
- Re: Article - A solution to phishing Ian (Dec 16)
- Re: Article - A solution to phishing exon (Dec 20)
- Re: Article - A solution to phishing Joseph Miller (Dec 20)
- Re: Article - A solution to phishing exon (Dec 22)
- Re: Article - A solution to phishing Rogan Dawes (Dec 22)
- RE: Article - A solution to phishing Mark Curphey (Nov 29)
- RE: Article - A solution to phishing focus (Nov 29)
- Re: Article - A solution to phishing Tran Viet Phuong (Nov 29)
- Re: Article - A solution to phishing Saqib . N . Ali (Nov 29)
- Re: Article - A solution to phishing Mark Burnett (Nov 29)
- RE: Article - A solution to phishing WebAppSecurity [Technicalinfo.net] (Nov 29)
- RE: Article - A solution to phishing WebAppSecurity [Technicalinfo.net] (Nov 29)