WebApp Sec mailing list archives
Re: Article - A solution to phishing
From: Michael Silk <michaelsilk () gmail com>
Date: Fri, 24 Dec 2004 11:27:18 +1100
Hi Marco,
Am I missing something here?
I think so :) You mention another "password" in your scheme of changing email addresses. There is no such password. The system might handle an email-change by having the user login, and then click "change email" where they place the new email address. Silkbank would then send a confirmation email _to the old_ email account that needs to be clicked to activate the change. From then on, the new email address is used. -- Michael PS: Typically when you create these online accounts with banks you do it in-store (at least in Australia). -----Original Message----- From: Marco Aurelio dos Santos [mailto:marco.gs () ig com br] Sent: Thu 23/12/2004 5:26 AM To: webappsec () securityfocus com Cc: Subject: Re: Article - A solution to phishing In-Reply-To: <b841ffed0412092222217e0dc1 () mail gmail com> Hello Michael, hello everybody I really think this solution is useful. At least it's original, and gives us an entirely new range of thinking. But, if you look at it, it's not so great. A lot of people has already made objections to it, so here are my two cents: let's think about the Michael Silk's Internet Banking. The user will have to fill a form with his/her information at some point, right? I mean, if the bank is going to send you an e-mail every time you access the Internet Banking system, first of all it has to have your e-mail address. Ok. So, after six months using Silk's Internet Banking, I decide to move to another ISP. I need to inform the Bank about my new e-mail address. I suppose the bank will have a form at it's web site for this kind of situation. I will open the appropriate URL, type in username and password and inform my new e-mail, e.g. marco () silkbank com. Well, it's a flaw, isn't it? If someone gets THIS password, they can go to this URL and inform hacker () imabadguy com as the new e-mail address. Am I missing something here? Regards Marco Aurelio
Current thread:
- RE: Article - A solution to phishing, (continued)
- RE: Article - A solution to phishing Michael Silk (Nov 30)
- Re: Article - A solution to phishing Jeremiah Grossman (Dec 01)
- Re: Article - A solution to phishing Adam Shostack (Dec 02)
- Re: Article - A solution to phishing [Passmark] Jeremiah Grossman (Dec 02)
- Re: Article - A solution to phishing Robert Hajime Lanning (Dec 02)
- Re: Article - A solution to phishing Jeremiah Grossman (Dec 01)
- RE: Article - A solution to phishing Michael Silk (Nov 30)
- RE: Article - A solution to phishing Michael Silk (Nov 30)
- Re: Article - A solution to phishing Jimi Thompson (Dec 01)
- RE: Article - A solution to phishing Damhuis Anton (Nov 30)
- Re: Article - A solution to phishing Marco Aurelio dos Santos (Dec 23)
- Re: Article - A solution to phishing Marco Aurelio dos Santos (Dec 23)
- Re: Article - A solution to phishing Michael Silk (Dec 28)
- Web Application Security Testing Procedures Lecia McCalla (Dec 30)
- Re: Web Application Security Testing Procedures HernĂ¡n M . Racciatti (Dec 30)
- Re: Web Application Security Testing Procedures Adam Tuliper (Dec 30)
- Re: Web Application Security Testing Procedures Saqib Ali (Dec 31)
- Web Application Security Testing Procedures Lecia McCalla (Dec 30)