WebApp Sec mailing list archives
RE: Phishing
From: "Michael Silk" <silkm () hushmail com>
Date: Wed, 12 May 2004 17:20:20 -0700
Why not reverse the process of a "security question" so instead of the WEBSITE asking YOU the question, YOU ask the WEBSITE. I.e. Step 1. Pre-logon you enter your userid and choose a question from a list, as well as requiring picture confirmation. Step 2. Bank validates via picture confirmation, replies with its answer to your chosen question. Step 3. Onus is on user to decide if the answer to the question was correct, then they may enter in their password and continue. It's advantage is that a "phisher" cannot possibly know the answer to the security question. Possible problems are that the attacker steals the security image from the banks site and connects to the bank and receives response and poses it to the user - perhaps the bank can restrict access to the image based on some scheme of sessions and requesting IP address for the image. there is room for improvement here, but perhaps it is a step in the right direction :) -- Michael -----Original Message----- From: Griffiths, Ian [mailto:Ian.Griffiths () liv-coll ac uk] Sent: Thursday, 13 May 2004 2:26 AM To: "lists ATdawesDOTzaDOTnet"@securityfocus.com Cc: Amit Sharma; webappsec () securityfocus com Subject: RE: Phishing Some good ideas there Rogan. I to feel educating users is a large part of this but how far can you go? Consider this (ficticious) URL: https://secure.bank.com:/logon/12345 () nefarious fraud net/ Fairly easy to set up, completely compliant with protocol, starting with the right thing, looks genuine to the untrained eye and yet completely unscrupulous. I've actually seen something similar in the wild and I'm completely sure it works, spotting this takes more than a passing exposure to knowledge of URL composition. Ian -----Original Message----- From: Rogan Dawes [mailto:discard () dawes za net] Sent: Wed 12/05/2004 13:59 To: Griffiths, Ian Cc: Amit Sharma; webappsec () securityfocus com Subject: Phishing Make the site name as short as possible, and as obvious as possible, to reduce confusion. Rather than "www{1,2,3,4,5,6,7,8,9}.encrypt.bank.com", try to use something short and simple like "secure.bank.com", and use it consistently for all servers supporting a particular application. That way there is less confusion for users, and less likelihood that a scammer will get away with using a slightly different domain name. Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger https://www.hushmail.com/services.php?subloc=messenger&l=434 Promote security and make money with the Hushmail Affiliate Program: https://www.hushmail.com/about.php?subloc=affiliate&l=427
Current thread:
- RE: Phishing Sarah Elan (May 12)
- RE: Phishing Shivangi Nadkarni (May 12)
- RE: Phishing Zoso (May 13)
- <Possible follow-ups>
- RE: Phishing Rohrer, Mark E (May 12)
- RE: Phishing Griffiths, Ian (May 12)
- Re: Phishing Rogan Dawes (May 13)
- RE: Phishing Adam Lydick (May 14)
- Re: Phishing E.Kellinis (May 15)
- RE: Phishing Griffiths, Ian (May 13)
- RE: Phishing Griffiths, Ian (May 13)
- RE: Phishing Michael Silk (May 13)
- Re: Phishing Amit Sharma (May 13)
- Re: Phishing Amit Sharma (May 13)
- RE: Phishing Pete Simpson (May 13)
- RE: Phishing Griffiths, Ian (May 14)
- RE: Phishing Adam Lydick (May 15)
- RE: Phishing Damon McMahon (May 15)
- RE: Phishing Shivangi Nadkarni (May 12)