nanog mailing list archives
Re: Phishing and BGP Blackholing
From: "Travis H." <travis+ml-nanog () subspacefield org>
Date: Wed, 17 Jan 2007 19:04:09 -0600
On Wed, Jan 03, 2007 at 03:35:30PM +0100, Florian Weimer wrote:
SecureID might be helpful if you want to differentiate your product between automatic and manual use, but it doesn't do anything to authenticate the party you are relaying information to. But it's useless in a phishing context. If you want a token solution, at least use something that factors in transaction-related data.
And since the whole point of using a token is having an isolated, presumably more trustworthy environment, then you also would logically need a display and input device for it. On the cryptography () metzdowd com list, there has been some discussion of this, and also some statements that the login needs to be part of the "browser chrome" (whatever that is) and not just any old form on an unprotected HTML page. Furthermore, the current understanding of marketing departments and customer support is on par with "the lock icon means it's secure", so even reputable companies like (IIRC) Chase are sending out emails telling their customers to log in to web sites with domain names that don't even resemble Chase, essentially training customers to be phishing victims. It's clear that the technology has progressed to the point that it is easier to confuse the user than actually exploit the security systems, and what we really need now is some leadership from UI designers (say, Apple) for browser designs and idioms that are intuitively obvious to the most casual of users. However, that's not exactly hard science and there isn't much usability research in the security community, because it's already so recondite. -- ``Unthinking respect for authority is the greatest enemy of truth.'' -- Albert Einstein -><- <URL:http://www.subspacefield.org/~travis/>
Attachment:
_bin
Description:
Current thread:
- Phishing and BGP Blackholing Joy, Dylan (Jan 02)
- Re: Phishing and BGP Blackholing Bill Nash (Jan 02)
- Re: Phishing and BGP Blackholing Travis H. (Jan 02)
- Re: Phishing and BGP Blackholing Bill Nash (Jan 02)
- Re: Phishing and BGP Blackholing Travis H. (Jan 02)
- Re: Phishing and BGP Blackholing Randy Bush (Jan 02)
- Re: Phishing and BGP Blackholing Bill Nash (Jan 02)
- RE: Phishing and BGP Blackholing Neil J. McRae (Jan 03)
- Re: Phishing and BGP Blackholing Florian Weimer (Jan 03)
- RE: Phishing and BGP Blackholing Neil J. McRae (Jan 03)
- Re: Phishing and BGP Blackholing Travis H. (Jan 17)
- Re: Phishing and BGP Blackholing Bill Nash (Jan 02)
- Re: Phishing and BGP Blackholing Bill Nash (Jan 02)
- Re: Phishing and BGP Blackholing Mark Foster (Jan 02)
- Re: Phishing and BGP Blackholing Rich Kulawiec (Jan 03)
- on a different "manners" topic, was Re: Phishing... Edward Lewis (Jan 03)
- Re: on a different "manners" topic, was Re: Phishing... Justin M. Streiner (Jan 03)
- Re: Phishing and BGP Blackholing Mark Foster (Jan 03)
- Re: Phishing and BGP Blackholing Joseph S D Yao (Jan 03)
- Re: Phishing and BGP Blackholing Mark Foster (Jan 03)
- Re: Phishing and BGP Blackholing Alexander Harrowell (Jan 04)
- Re: Phishing and BGP Blackholing Michael . Dillon (Jan 04)
- Re: Phishing and BGP Blackholing Alexander Harrowell (Jan 04)