nanog mailing list archives

Re: Phishing (Was Re: WashingtonPost computer security stories)

From: Michael.Dillon () radianz com
Date: Tue, 17 Aug 2004 14:13:26 +0100

I wonder if the banks have ever considered how they have
contributed to the problem. If their pages were straight
up, no pop-up's, no JavaVirus, etc.... it would be far easier
to tell their customers:

==============================================================
   Here is what our page looks like:

But of course, that would not be glitzy enough....


My bank does pretty much what you suggest. Have a look  here
https://ibank.barclays.co.uk/fp/1_2c/online/1,26806,logon,00.html
and if that link has timed out or something, just go here
https://ibank.barclays.co.uk/
and click the Log-in button.

Barclays also uses a "memorable word" in addition to
the PIN code. They repeatedly tell us that no-one
from Barclays will ever ask us to reveal this
memorable word. It's only use is for a simple 
challenge-response where the website asks for
two specific letters from the word and we select
them from drop-down boxes to defeat keyloggers.
Nice example of layered security that keeps the
criminals snapping at the heels of the guy next
door, i.e. CitiBank et al.

--Michael Dillon

Current thread:

Re: WashingtonPost computer security stories, (continued)
- - - Re: WashingtonPost computer security stories Jerry Pasker (Aug 15)
    - Re: WashingtonPost computer security stories Stephen J. Wilcox (Aug 17)
  - Re: WashingtonPost computer security stories Doug White (Aug 15)
- Phishing (Was Re: WashingtonPost computer security stories) Niels Bakker (Aug 16)
  - Re: Phishing (Was Re: WashingtonPost computer security stories) Henry Linneweh (Aug 16)
  - Re: Phishing (Was Re: WashingtonPost computer security stories) Christopher L. Morrow (Aug 16)
    - Re: Phishing (Was Re: WashingtonPost computer security stories) Mark Kasten (Aug 16)
  - Re: Phishing (Was Re: WashingtonPost computer security stories) Alexei Roudnev (Aug 16)
    - Re: Phishing (Was Re: WashingtonPost computer security stories) Sean Donelan (Aug 16)
    - Re: Phishing (Was Re: WashingtonPost computer security stories) David Lesher (Aug 17)
    - Re: Phishing (Was Re: WashingtonPost computer security stories) Michael . Dillon (Aug 17)
    - Re: Phishing (Was Re: WashingtonPost computer security stories) Joel Jaeggli (Aug 17)
    - Re: Phishing (Was Re: WashingtonPost computer security stories) Richard Cox (Aug 17)
    - Re: Phishing (Was Re: WashingtonPost computer security stories) Petri Helenius (Aug 17)
    - Re: Phishing (Was Re: WashingtonPost computer security stories) Alexei Roudnev (Aug 17)
    - Re: Phishing (Was Re: WashingtonPost computer security stories) Eric Kuhnke (Aug 17)
    - Re: Phishing (Was Re: WashingtonPost computer security stories) Tim Wilde (Aug 17)
    - Re: Phishing (Was Re: WashingtonPost computer security stories) Edward B. Dreger (Aug 17)
    - Re: Phishing (Was Re: WashingtonPost computer security stories) Petri Helenius (Aug 17)
    - Re: Phishing (Was Re: WashingtonPost computer security stories) Brett (Aug 18)
    - Re: Phishing (Was Re: WashingtonPost computer security stories) Christopher L. Morrow (Aug 17)

(Thread continues...)