lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Sat Jun  4 07:33:40 2005
From: dmargoli+lists at af0.net (Dan Margolis)
Subject: Request for comments: anti-phishing storefront
	approach

On Fri, Jun 03, 2005 at 07:37:28PM -0400, Doug Ross wrote:
> Given the recent PR regarding Bank of America's SiteKey (which seems
> to me to be susceptible to MIM attacks), I'd appreciate any feedback
> on this anti-phishing approach:
> 
> http://directorblue.blogspot.com/2005/06/making-phishers-solve-captcha-problem.html

Your example includes the notion of a CAPTCHA-style warning image that
says "...If any of the three items aren't true or don't look right,
DON'T SIGN IN." Couldn't one just as easily--and just as
falsely--expect customers to obey a warning that says "If you don't see
a valid SSL 'lock' icon in your browser window, DON'T SIGN IN?" Both
cases are essentially identical, only the former requires more work by
me to verify--I have no idea what the last check number I wrote was,
and depending on my ISP, it's likely that I'll appear to be connecting
from some place 300 miles from my current location, yet with verifying
SSL, all I have to do is check to see if a little icon is up in the
window. 

As you say Bank of America needs to use SSL on their login page. But if
you're talking about training users--and that's necessary, because
otherwise, phishers can just remove the warning reminder bit from their
fake login pages--you may as well just train them to look for valid SSL
certs. 

On a side note, I have to wonder how much of this appears to be magic
to the ordinary user, to the extent that you could make all sorts of
statements in the name of security and the user would buy it. For
instance, a phisher could put a fake Verisign button on his site that,
when clicked, does something different than the real Verisign ones do.
Or, better yet, a box that says "If the above image does not read
'AUTHENTIC,' do not sign in." Users would assume that some sort of
verification were going on. Never mind the mechanism. 
-- 
Dan

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ