WebApp Sec mailing list archives
Re: Article - A solution to phishing
From: Joseph Miller <joseph () tidetamerboatlifts com>
Date: Thu, 25 Nov 2004 23:48:20 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Michael, I have to give you kudos for working on a solution. However, I have to say that you solution stinks. We definitely need more creativity and ideas to fix this and I think that you have been creative but not worked with the reality of the situation. Users will fight for simplicity, even if it exposes them to losing thousands of dollars. And as you said, the emails would not be encrypted. Any sysadmin or hacker who could break into a vulnerable email server has access to the emails and those passwords. Obviously, it would not be long before the hacker would be stopped, but he doesn't have to get but one account if he knows which one, right? Each website may choose its own method of password creation, even though you specifically stated that they should choose good passwords, they might choose a crappy incremental scheme anyways and circumvent the whole process. There are simply too many steps, each of which could fail and be disastrous. But keep thinking, one day we will have a half-solution to the problem. I don't believe that it can ever be completely fixed. 99.9% of humans live by perception, and that is what phishing thrives on. - -Joseph Miller On Monday 22 November 2004 10:40 pm, Michael Silk wrote:
Hi, Just a quick little article about a login system that, should (i think :)), prevent phishing attempts on your site. http://michaelsilk.blogspot.com/2004/11/article-solution-to-phishing.htm l Have a look at it and let me know what you think ... and apologies to anyone if an idea like this is already out there :) -- Michael ********************************************************************** This email message and accompanying data may contain information that is confidential and/or subject to legal privilege. If you are not the intended recipient, you are notified that any use, dissemination, distribution or copying of this message or data is prohibited. If you have received this email message in error, please notify us immediately and erase all copies of this message and attachments. This email is for your convenience only, you should not rely on any information contained herein for contractual or legal purposes. You should only rely on information and/or instructions in writing and on company letterhead signed by authorised persons. **********************************************************************
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBprWXmXZROF+EADURAmqhAJ43mQxv3dTmsQZz6fgoSL8m1INdLwCeOOgi Tgjx+UKNzYWN406YQwEC+HE= =N++X -----END PGP SIGNATURE-----
Current thread:
- Article - A solution to phishing Michael Silk (Nov 25)
- Re: Article - A solution to phishing Saqib . N . Ali (Nov 27)
- RE: Article - A solution to phishing Christopher Canova (Nov 27)
- Re: Article - A solution to phishing Andi McLean (Nov 27)
- Re: Article - A solution to phishing ZedGama3 (Nov 27)
- Re: Article - A solution to phishing Joseph Miller (Nov 27)
- Re: Article - A solution to phishing Peter Conrad (Nov 27)
- Re: Article - A solution to phishing John West (Nov 27)
- Re: Article - A solution to phishing Paul Johnston (Nov 27)
- <Possible follow-ups>
- RE: Article - A solution to phishing Damhuis Anton (Nov 27)
- Re: Article - A solution to phishing Michael Silk (Nov 27)
- RE: Article - A solution to phishing Robin Balean (Nov 27)
- RE: Article - A solution to phishing Michael Silk (Nov 27)
- RE: Article - A solution to phishing lists (Nov 27)
- Re: Article - A solution to phishing Joseph Miller (Nov 29)
- Re: Article - A solution to phishing Michael Silk (Nov 29)
- RE: Article - A solution to phishing lists (Nov 27)
(Thread continues...)