WebApp Sec mailing list archives
Re: Re: Article - A solution to phishing
From: <bluewizard83-de4gahsh () yahoo com>
Date: Thu, 14 Jul 2005 17:18:11 -0700 (PDT)
I am trying to understand how this works and makes things more secure perhaps you can assist me. At their demo I seem seems that it works like this. -At a form a user enters their username, then submits the form. -At the next for a user types their password. If the graphic gets converted into something readable the site is real. So my first concern is that it seems that in step one you give the username, in the next step. In the seperation of the steps aren't you revealing that an account exists on your system before the user has actually logged in. In high security system I thought the best practice was to only report 'bad password' or bad username/password' so that a hacker would never know they found a valid account. In the second step in the demo I typed in my password. After my password was entered the image resolved into something readable. How do I know that the site was 'real' before I started my password, and not just a site with an image that changes every time the password field is changed? Still it seems this technology depends on the user knowing they shouldn't enter their password unless that image thing is present. Users continue to give passwords away when there isn't a 'SSL padalock' present, and they don't look at the location bar to verify that they are at the correct UNC. I am curious how effective this will be when it just seems to add another thing that you are expected the user to verify before they try and login. I think I must have completely missunderstand how this is supposed to work. Can you me a more real example of how this software would guarantee that a site is real before a user provides them with any personal information? Oh also it isn't entirely true to say it requires no client software, it requires java and a fairly current browser. I usually run my browser with Java disabled. Chris --- jcjhilvfgvqcf () mailinator com wrote:
I have found a product that looks better then passmark. It is called ACUTrust (www.acutrust.com) and it uses a visualized token to authenticate the website. it does not use cookies and does not require any client based software. I also think that this would help a non technical person identify the sight.
Current thread:
- Re: Re: Article - A solution to phishing jcjhilvfgvqcf (Jul 14)
- Re: Article - A solution to phishing Thomas Chiverton (Jul 14)
- Re: Article - A solution to phishing Saqib Ali (Jul 14)
- Re: Article - A solution to phishing Frank O'Dwyer (Jul 14)
- Re: Re: Article - A solution to phishing bluewizard83-de4gahsh (Jul 14)
- Re: Re: Article - A solution to phishing RSnake (Jul 14)
- Re: Re: Article - A solution to phishing RSnake (Jul 18)
- Re: @CHECK Re: Re: Article - A solution to phishing Dennis W. Kennedy (Jul 18)
- Re: Re: Article - A solution to phishing RSnake (Jul 18)
- <Possible follow-ups>
- Re: Article - A solution to phishing mike (Jul 14)
- RE: Re: Article - A solution to phishing Simon Zuckerbraun (Jul 14)
- RE: Re: Article - A solution to phishing Leandro Meiners (Jul 15)
- Re: Article - A solution to phishing Thomas Chiverton (Jul 14)