WebApp Sec mailing list archives
Re: Article - A solution to phishing
From: John West <jwest23 () gmail com>
Date: Fri, 26 Nov 2004 12:27:44 -0500
On Tue, 23 Nov 2004 14:40:30 +1100, Michael Silk <michaels () phg com au> wrote:
Just a quick little article about a login system that, should (i think :)), prevent phishing attempts on your site. http://michaelsilk.blogspot.com/2004/11/article-solution-to-phishing.htm l
Why not an implementation base on OPIE (http://inner.net/opie), then? The user navigates to the login page. The user enters their login name. A challenge is generated and sent to the registered email address along with a URL that will for a given time window allow them to respond. The user calculates the response to the challenge locally. The user clicks on the URL for the response page. The user responds with their one-time password and can enter. As soon as the reponse is entered correctly, the challenge is invalidated. If it is entered N times incorrectly, it is invalidated. If the time limit has been exceeded, it is invalidated. This alleviates disadvantage #1, at any rate. As you mentioned, the most severe disadvantage is that no users currently have to jump through any sort of these hoops to login to a site. It's a marketing nightmare. My assumption is that any large-sale site would lose business in droves by requiring non-standard authentication. Implementing this might work as an opt-in solution, however. Security-minded folks are more likely to adopt it quickly, while enlightening the masses. --John -- John West jwest23 () gmail com -><- 'tis an ill wind that blows no minds -><-
Current thread:
- Article - A solution to phishing Michael Silk (Nov 25)
- Re: Article - A solution to phishing Saqib . N . Ali (Nov 27)
- RE: Article - A solution to phishing Christopher Canova (Nov 27)
- Re: Article - A solution to phishing Andi McLean (Nov 27)
- Re: Article - A solution to phishing ZedGama3 (Nov 27)
- Re: Article - A solution to phishing Joseph Miller (Nov 27)
- Re: Article - A solution to phishing Peter Conrad (Nov 27)
- Re: Article - A solution to phishing John West (Nov 27)
- Re: Article - A solution to phishing Paul Johnston (Nov 27)
- <Possible follow-ups>
- RE: Article - A solution to phishing Damhuis Anton (Nov 27)
- Re: Article - A solution to phishing Michael Silk (Nov 27)
- RE: Article - A solution to phishing Robin Balean (Nov 27)
- RE: Article - A solution to phishing Michael Silk (Nov 27)
- RE: Article - A solution to phishing lists (Nov 27)
- Re: Article - A solution to phishing Joseph Miller (Nov 29)
- Re: Article - A solution to phishing Michael Silk (Nov 29)
- Re: Article - A solution to phishing Rogan Dawes (Nov 30)
- Re: Article - A solution to phishing Adam Shostack (Dec 01)
- RE: Article - A solution to phishing lists (Nov 27)