WebApp Sec mailing list archives
RE: Phishing
From: "Michael Silk" <silkm () hushmail com>
Date: Wed, 12 May 2004 17:20:20 -0700
Why not reverse the process of a "security question" so instead of
the WEBSITE asking YOU the question, YOU ask the WEBSITE.
I.e.
Step 1. Pre-logon you enter your userid and choose a question from a
list, as well as requiring picture confirmation.
Step 2. Bank validates via picture confirmation, replies with its answer
to your chosen question.
Step 3. Onus is on user to decide if the answer to the question was correct,
then they may enter in their password and continue.
It's advantage is that a "phisher" cannot possibly know the answer to
the
security question.
Possible problems are that the attacker steals the security image from
the
banks site and connects to the bank and receives response and poses it
to
the user - perhaps the bank can restrict access to the image based on
some scheme of sessions and requesting IP address for the image.
there is room for improvement here, but perhaps it is a step in the right
direction :)
-- Michael
-----Original Message-----
From: Griffiths, Ian [mailto:Ian.Griffiths () liv-coll ac uk]
Sent: Thursday, 13 May 2004 2:26 AM
To: "lists ATdawesDOTzaDOTnet"@securityfocus.com
Cc: Amit Sharma; webappsec () securityfocus com
Subject: RE: Phishing
Some good ideas there Rogan. I to feel educating users is a large part
of this but how far can you go? Consider this (ficticious) URL:
https://secure.bank.com:/logon/12345 () nefarious fraud net/
Fairly easy to set up, completely compliant with protocol, starting with
the right thing, looks genuine to the untrained eye and yet completely
unscrupulous. I've actually seen something similar in the wild and I'm
completely sure it works, spotting this takes more than a passing exposure
to knowledge of URL composition.
Ian
-----Original Message-----
From: Rogan Dawes [mailto:discard () dawes za net]
Sent: Wed 12/05/2004 13:59
To: Griffiths, Ian
Cc: Amit Sharma; webappsec () securityfocus com
Subject: Phishing
Make the site name as short as possible, and as obvious as possible,
to
reduce confusion. Rather than "www{1,2,3,4,5,6,7,8,9}.encrypt.bank.com",
try to use something short and simple like "secure.bank.com", and use
it
consistently for all servers supporting a particular application. That
way there is less confusion for users, and less likelihood that a
scammer will get away with using a slightly different domain name.
Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2
Free, ultra-private instant messaging with Hush Messenger
https://www.hushmail.com/services.php?subloc=messenger&l=434
Promote security and make money with the Hushmail Affiliate Program:
https://www.hushmail.com/about.php?subloc=affiliate&l=427
Current thread:
- RE: Phishing Sarah Elan (May 12)
- RE: Phishing Shivangi Nadkarni (May 12)
- RE: Phishing Zoso (May 13)
- <Possible follow-ups>
- RE: Phishing Rohrer, Mark E (May 12)
- RE: Phishing Griffiths, Ian (May 12)
- Re: Phishing Rogan Dawes (May 13)
- RE: Phishing Adam Lydick (May 14)
- Re: Phishing E.Kellinis (May 15)
- RE: Phishing Griffiths, Ian (May 13)
- RE: Phishing Griffiths, Ian (May 13)
- RE: Phishing Michael Silk (May 13)
- Re: Phishing Amit Sharma (May 13)
- Re: Phishing Amit Sharma (May 13)
- RE: Phishing Pete Simpson (May 13)
- RE: Phishing Griffiths, Ian (May 14)
- RE: Phishing Adam Lydick (May 15)
- RE: Phishing Damon McMahon (May 15)
- RE: Phishing Shivangi Nadkarni (May 12)