How about when I sign up to a service, in addition to my email, password, etc, I tell them a second password or passphrase? Then when ever they send out an email to me, they include that password in plain text. Since only me and the company know the password it has to have come from them.
-
Andrew Davey
www.aboutcode.net
-
Rowan
Look, no errors.
I don't think you understand how phishing works...
http://en.wikipedia.org/wiki/Phishing -
Angus
.
That's an interesting idea.
Rowan wrote:
It seems I don't either. Thanks for the URL.
Angus Higgins
-
leeappdalecom
.nettter
The solution to phising is education, you wouldn't give your bank details to some fella stading behind you at the cash machice would ya?
-
Andrew Davey
www.aboutcode.net
Rowan wrote:
Users can have a hard time determining if an email has really come from PayPal, eBay, etc. Teaching my mother to carefully examine the URL or email headers is tricky at best!
By including some personal information (other than email address/username) in the message the user knows the email came from a valid source.
I can easily tell my mother to make sure that the email contains her special passphrase.
It's all about helping the user to make informed decisions. -
Andrew Davey wrote:How about when I sign up to a service, in addition to my email, password, etc, I tell them a second password or passphrase? Then when ever they send out an email to me, they include that password in plain text. Since only me and the company know the password it has to have come from them.
Won't work. People are stupid. The fact you've even spent five minutes thinking about Phishing means you are not their target with the e-mails... More likely is your mum, your dad or any other barely computer literate person.
-
UlsterFry
http://en.wikipedia.org/wiki/Ulster_fry
One of the best solutions I've seen to phishing is the username & password & image combo.
It works like this.
- You sign up, create your username and password.
- When registration is complete you are shown a random picture that will be associated with your account.
- When you log in, your associated picture will be displayed along with the username and password fields.
-
UlsterFry wrote:One of the best solutions I've seen to phishing is the username & password & image combo.
It works like this.
- You sign up, create your username and password.
- When registration is complete you are shown a random picture that will be associated with your account.
- When you log in, your associated picture will be displayed along with the username and password fields.
LMAO... So you give the philishing site your login and password... It displays the wrong picture, and so then what? You cry about giving them your login and password already? ...
Talk about a logical fallacy. -
W3bbo
Work hard; increase production; prevent accidents, and be happy.
UnoriginalGuy wrote:LMAO... So you give the philishing site your login and password... It displays the wrong picture, and so then what? You cry about giving them your login and password already? ...
Talk about a logical fallacy.
He meant the email from the phisher would have the picture in it.
This isn't going to work because the user will need to upload something to be really unique, and most people can't/don't know how to do that. And if you receive a real email, someone could be looking over your shoulder, seeing what your "personal picture" is, then use it to scam you later.
A good idea, if implemented wrong, it's also ineffective for blind users (or non-graphical MTAs/UAs), I was thinking more of a "personal text", your own password. When sent in email it would be as part of a list including 4 other "personal texts", yet only one of them is true. If delivered with a small font, this makes it immune from over-the-shoulder attacks and packet sniffing (since no-one uses SSL POP3)
-
Matthew van Eerde
AKA Maurits
BofA's online banking site does something similar.
-
ScanIAm
Edgar Allen Potato.
Matthew van Eerde wrote:BofA's online banking site does something similar.
ING just implemented this very feature.
Once you set it up, it works like this:
1) go to site, press 'log me in' button.
2) when prompted, enter in your account number.
3) you are shown your specific picture AND a phrase that you entered. ING allows you to pick from their pictures or upload your own.
4) you must then answer 2 plaintext safety questions picked from 6 or more that you previously answered. (like: "what was your high school mascot.")
5) A 10 digit number pad is presented to allow you to enter in your PIN. From there, you must press the buttons (OR enter the letters next to the buttons...the letters are randomized each time).
6) Stare at the millions of dollars in your account.
It seems like much more of a hassle than it really is. -
Yeah, but I think his point is that you'd see it before going to the site, i.e. it's pre-phish.
-
UlsterFry
http://en.wikipedia.org/wiki/Ulster_fry
UnoriginalGuy wrote:
UlsterFry wrote:One of the best solutions I've seen to phishing is the username & password & image combo.
It works like this.
- You sign up, create your username and password.
- When registration is complete you are shown a random picture that will be associated with your account.
- When you log in, your associated picture will be displayed along with the username and password fields.
LMAO... So you give the philishing site your login and password... It displays the wrong picture, and so then what? You cry about giving them your login and password already? ...
Talk about a logical fallacy.
Duh, no you numpty... ..jaasus where do they come from on this board.
- You get an email from said organisation.
- You type in your user name.
- Once the username is confirmed, picture is displayed and x number of characters at x positions are requested from your password.
-
DoomBringer
Doom!
Bank of America does something like this.
-
Matthew van Eerde
AKA Maurits
Something that worries me... what stops the phishers from doing a man-in-the-middle attack?
You enter your username on the phisher's site
The phishers vicariously enter your username on the real site
The real site gives the phishers your pre-chosen picture and confirmation phrase
The phishers relay this to you, proving to you that they are in fact the real site
Oops! -
figuerres
???
after a problem with bofa's site I spoke with a bofa staff who had the same kinds of problems I had with the system they use.
for example they (and other sites) give you set lists of things to use.
which may or may not work for the given user.
also many sites use password rules that can at times be too much.
and I fail to see how having more sites ask me to answer more inane questions makes me safer?
and the photo thing; how many users will just pick the default photo?
how many users will faill to notice a fake site with the wrong photo?
how many users will fall for a phishing site that asks them to "update" the info.
what about making email more "restricted" ?
the way html is used in email is half the problem.
like how it can contain links to pictures and hrefs.
block html and image attachments / enclosures and you could cut out a lot of phishing....
or at least force links to match domains and limit href's to the domain.
and work on showing the user the link is odd.
-
LaBomba
Summer
Matthew van Eerde wrote:Something that worries me... what stops the phishers from doing a man-in-the-middle attack?
You enter your username on the phisher's site
The phishers vicariously enter your username on the real site
The real site gives the phishers your pre-chosen picture and confirmation phrase
The phishers relay this to you, proving to you that they are in fact the real site
Oops!
I think this is coming soon to a phishing site near you...
-
ScanIAm
Edgar Allen Potato.
LaBomba wrote:
Matthew van Eerde wrote: Something that worries me... what stops the phishers from doing a man-in-the-middle attack?
You enter your username on the phisher's site
The phishers vicariously enter your username on the real site
The real site gives the phishers your pre-chosen picture and confirmation phrase
The phishers relay this to you, proving to you that they are in fact the real site
Oops!
I think this is coming soon to a phishing site near you...
At this time, it's a slim possibility but I think that the PIN (with appropriate letters) part will mess them up. The letters associated with the numbers are built from a single bitmap, so the phisher would have to run some OCR software and parse out the letters, then rebuild the bitmaps, then enter the appropriate letters into the PIN field. Otherwise, they'd have to somehow 'passthrough' the button clicks from their own website to the bank site.
It's obvious from the response time, that the letters are entered into the PIN login based on some client side scripting which I'd hope was somehow encrypted.
I guess anything is possible, but it would take a lot of work, and they'd certainly have to do some testing against the real bank sites.
Thread Closed
This thread is kinda stale and has been closed but if you'd like to continue the conversation, please create a new thread in our Forums,
or Contact Us and let us know.