Re: Anti-Phishing with digital watermarking

["Ryan Greenier" <rgreenier () gmail com>]

I'd HIGHLY disagree with it being closer to 100% unreliable than
reliable. Most of the phishing attacks against institutions that my
company provides service for are copy/paste type deals leaving all
kinds of other info on there that is unrelated to what the attackers
are trying to accomplish (such as stats, etc). Shoot, they even leave
the javascript in there that determines the user's browsing
experience. Those alone could be triggers if programmed
differently/watched.

I agree it's not really a quote unquote security measure and you
should have other safe guards in place, but if it succeeds even 1% of
the time in notifying you before users start being victimized, it's
worth the hour or so it takes you to implement IMHO.

- Ryan


On Mon, Sep 29, 2008 at 19:06, Ansgar Wiechers <bugtraq () planetcobalt net> wrote:
> On 2008-09-30 Razi Shaban wrote:
> > > Which, of course, is totally unreliable (and thus utterly pointless
> > > as a security measure), because you make way too much assumptions
> > > (client has JavaScript enabled, phisher doesn't check the used
> > > website for phone- home code, phisher uses the original website in
> > > the first place, ...).
> >
> > So because it is not 100% reliable, we shouldn't use it?
>
> I'd say it's closer to 100% unreliable than to 100% reliable. But even
> if it isn't, how do you calculate the chances? You just have too many
> variables.
>
> You noticed the word "security" in this mailinglist's name? What makes
> you think a measure of questionable reliability could possibly count as
> a security measure?
>
> Regards
> Ansgar Wiechers
> --
> "The Mac OS X kernel should never panic because, when it does, it
> seriously inconveniences the user."
> --http://developer.apple.com/technotes/tn2004/tn2118.html