[security] How to prevent phishing...
Martin Atkins
mart at degeneration.co.uk
Wed Apr 11 17:29:59 UTC 2007
gaz_sec at hushmail.com wrote:
>
> Hi all,
>
> I've come up with an idea for peventing phishing, I would love to
> hear everyone's thoughts:-
> http://www.thespanner.co.uk/2007/04/11/how-to-prevent-phishing/
>
I think where this sort of approach falls down is the assumption that
users will notice if the login page deviates from the usual. In
practice, users are quite accustomed to web pages drastically changing
every now and then due to new UI or graphic designs.
I suspect that there is even a small subset of users that would happily
respond if prompted to a message saying "In order to continue we need
you to enter your passphrase" on a fake site.
The general case of this problem is that these solutions present
something in the "safe" case that is absent from the "unsafe" case. This
needs to be the opposite: there needs to be nothing special in the
"safe" case, and a big red flashing box with bells on in the "unsafe"
case; unfortunately, detecting the "unsafe" case is a difficult
problem... but we all know that already.
More information about the security
mailing list