WebApp Sec mailing list archives
Re: Article - A solution to phishing
From: Michael Silk <michaelsilk () gmail com>
Date: Fri, 26 Nov 2004 10:02:19 +1100
Hi Saqib, Thanks :) You're right; if the customer can't access their email they can't access their bank. However, it is not neccessarily a big problem though, is it ? Most banks offer other mechanisms to access your account - phone banking, etc, so if it is an absolute emergency you can use their backup system. Also, I would suggest that, unless something goes seriously wrong with your email provider, it will always be available when you are on the internet ... Outlook provides a WebAccess system and I imagine the other big ones would do the same. I think the most critical issue to deal with if you implemented it would be the _securing_ your email system. The easiest way to do it is encrypt the emails. And to make it easy for users to make use of it, the email providers would need to integrate it or the banks/etc would need to provide tools that linked in to perform the decryption. This way the user would only need to remember their general pass-phrase to utilise their private key to decrypt these emails. -- Michael -----Original Message----- From: Saqib.N.Ali () seagate com [mailto:Saqib.N.Ali () seagate com] Sent: Friday, 26 November 2004 9:11 AM To: Michael Silk Cc: webappsec () securityfocus com Subject: Re: Article - A solution to phishing Hello Michael, Interesting article, and well-written. The technique you are proposing is very similar to assigning a RSA SecureID to each of the banc customer. Except in this case the customer doesn't hold the physical SecureID, instead he/she is sent the auto-generated number. One major problem of these kind of systems is that, they are dependent on 3rd party service being available whenever the customer wants to access the banc. In this case the 3rd party service is the customer's personal email provider, which may not be available all the time. RSA SecureID has the same problem, i.e. what if the customer loses his/her SecureID and is at a remote location where he/she can not physically go to banc branch. Thanks. Saqib Ali http://validate.sf.net "Michael Silk" <michaels () phg com au> No Phone Info Available 11/22/2004 07:40 PM To <webappsec () securityfocus com> cc Subject Article - A solution to phishing Hi, Just a quick little article about a login system that, should (i think :)), prevent phishing attempts on your site. http://michaelsilk.blogspot.com/2004/11/article-solution-to-phishing.htm l Have a look at it and let me know what you think ... and apologies to anyone if an idea like this is already out there :) -- Michael
Current thread:
- Article - A solution to phishing Michael Silk (Nov 25)
- Re: Article - A solution to phishing Saqib . N . Ali (Nov 27)
- RE: Article - A solution to phishing Christopher Canova (Nov 27)
- Re: Article - A solution to phishing Andi McLean (Nov 27)
- Re: Article - A solution to phishing ZedGama3 (Nov 27)
- Re: Article - A solution to phishing Joseph Miller (Nov 27)
- Re: Article - A solution to phishing Peter Conrad (Nov 27)
- Re: Article - A solution to phishing John West (Nov 27)
- Re: Article - A solution to phishing Paul Johnston (Nov 27)
- <Possible follow-ups>
- RE: Article - A solution to phishing Damhuis Anton (Nov 27)
- Re: Article - A solution to phishing Michael Silk (Nov 27)
- RE: Article - A solution to phishing Robin Balean (Nov 27)
- RE: Article - A solution to phishing Michael Silk (Nov 27)
- RE: Article - A solution to phishing lists (Nov 27)
- Re: Article - A solution to phishing Joseph Miller (Nov 29)
- Re: Article - A solution to phishing Michael Silk (Nov 29)
- Re: Article - A solution to phishing Rogan Dawes (Nov 30)
- Re: Article - A solution to phishing Adam Shostack (Dec 01)
- Re: Article - A solution to phishing Rogan Dawes (Dec 03)
- RE: Article - A solution to phishing lists (Nov 27)
- Re: Article - A solution to phishing Michael Silk (Dec 14)
- Re: Article - A solution to phishing Adam Tuliper (Dec 15)