Security Incidents mailing list archives
RE: Discovering and Stopping Phishing/Scam Attacks
From: webcenter () sapo pt
Date: Thu, 28 Apr 2005 17:10:01 +0100
alex, i understand your point and agree, the education, the physical ID.. but all this process is just to slow the phisher atacks, and complicate there work... i know that maybe if we complicate the work to phisher atacks, maybe pharming will apear more, and i know that pharming atacks is more dangerous then phishing atacks... so is impossible to turn internet secure with just one login system but if we can make it more secure why not?? you talk about spoofing email accounts, but i think that is not the real "phishing" problem... regards Nuno Costa Alex : Dude, Under your scheme, Phishers would only need to spoof an "unblock" email to the user. How many users are actually going to invent a NEW password and a NEW 3rd item? They are just going to re-enter their current ones and give these to the Phisher. Most people don't even bother making unique passwords for each service. It's still not clear what the utility of the 3rd field is -- seems equivalent to a longer password. - I think a better way to stop phishing is simple education. People are used to verifying physical ID (i.e. Driver's license) for many types of transactions (bank, apartment lease, etc). They need to get used to verifying SSL certificates for login webpages. -Alex
ok mr. moderator... i think the real problem to phishing exists is the weak process of
login
systems today... anyone just needs a login and password, to be authenticated, i
think web
aplications needs to change login systems... to be more tight...
and the
phishers maybe loose there hope to grep information very easy with
just a
username and password... my idea and solution to a new login system is this... creating a 3rd field, this 3rd field the user will choose... it
will work
like saying yes this is the real bank system welcome back mr. user
insert your
password... the process... 1rst page user -> puts the username... second page.. 3rd field -> what is your cat name? now the user knows that this
was the
question that he have put int the 3rdfield from the real bank site
(he can
put what he want)... password ?? -> user puts the password.. he is athenticated. now the phishers they have more work, needs two process to gain
access to
the bank user account... first they need to colect the username to get the 3rd field... and
they
need to put the 3rdfield in the false website... to get the password... but
this
is the deal... when a user or anyone, puts the username in this login system needs
to
proceed with a password, if not, if the user close the browser, if he tries
3times
and can't login, the system will block the username and send a email to
the
real user, a code to unblock the username and force the user to change
the
username and 3rd field... and now the phishers don't know again what will be
the
new username and 3rdfield... this system, is nothing from other planet and i think that help a
lot the
users, and will stop a litle or a big % this phisher mans... regards Nuno Costa
-------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. -------------------------------------------------------------------------- SMS GRÁTIS do seu PC para qualquer rede nacional (TMN, Vodafone, Optimus e PTC). Basta instalar o SAPO Messenger e adicionar amigos! Vá agora a : http://messenger.sapo.pt/sms/ -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
Current thread:
- RE: Discovering and Stopping Phishing/Scam Attacks, (continued)
- RE: Discovering and Stopping Phishing/Scam Attacks Calder, James (EXP) (Apr 27)
- RE: Discovering and Stopping Phishing/Scam Attacks webcenter (Apr 28)
- RE: Discovering and Stopping Phishing/Scam Attacks Randy (Apr 28)
- RE: Discovering and Stopping Phishing/Scam Attacks Nuno Costa (Apr 28)
- Re: Discovering and Stopping Phishing/Scam Attacks Dave Greer (Apr 28)
- Re: Discovering and Stopping Phishing/Scam Attacks Rainer Duffner (Apr 28)
- Message not available
- Administrivia: RE: Discovering and Stopping Phishing/Scam Attacks Daniel Hanson (Apr 28)
- Re: Administrivia: RE: Discovering and Stopping Phishing/Scam Attacks Valdis . Kletnieks (Apr 29)
- RE: Discovering and Stopping Phishing/Scam Attacks webcenter (Apr 28)
- RE: Discovering and Stopping Phishing/Scam Attacks Calder, James (EXP) (Apr 27)
- Re: Discovering and Stopping Phishing/Scam Attacks Steven (Apr 28)
- RE: Discovering and Stopping Phishing/Scam Attacks Alex (Apr 28)
- RE: Discovering and Stopping Phishing/Scam Attacks webcenter (Apr 28)
- RE: Discovering and Stopping Phishing/Scam Attacks Michael J. Pomraning (Apr 28)
- Re: Discovering and Stopping Phishing/Scam Attacks Andrew Kopp (Apr 28)