Home page logo

webappsec logo WebApp Sec mailing list archives

RE: Phishing
From: "Michael Silk" <silkm () hushmail com>
Date: Wed, 12 May 2004 17:20:20 -0700

Why not reverse the process of a "security question" so instead of
the WEBSITE asking YOU the question, YOU ask the WEBSITE.


Step 1. Pre-logon you enter your userid and choose a question from a
        list, as well as requiring picture confirmation.

Step 2. Bank validates via picture confirmation, replies with its answer
        to your chosen question.

Step 3. Onus is on user to decide if the answer to the question was correct,

        then they may enter in their password and continue.

It's advantage is that a "phisher" cannot possibly know the answer to
security question.

Possible problems are that the attacker steals the security image from
banks site and connects to the bank and receives response and poses it
the user - perhaps the bank can restrict access to the image based on
some scheme of sessions and requesting IP address for the image.

there is room for improvement here, but perhaps it is a step in the right
direction :)

-- Michael

-----Original Message-----
From: Griffiths, Ian [mailto:Ian.Griffiths () liv-coll ac uk]
Sent: Thursday, 13 May 2004 2:26 AM
To: "lists ATdawesDOTzaDOTnet"@securityfocus.com
Cc: Amit Sharma; webappsec () securityfocus com
Subject: RE: Phishing

Some good ideas there Rogan.  I to feel educating users is a large part
of this but how far can you go?  Consider this (ficticious) URL:
https://secure.bank.com:/logon/12345 () nefarious fraud net/
Fairly easy to set up, completely compliant with protocol, starting with
the right thing, looks genuine to the untrained eye and yet completely
unscrupulous.  I've actually seen something similar in the wild and I'm
completely sure it works, spotting this takes more than a passing exposure
to knowledge of URL composition.

        -----Original Message----- 
        From: Rogan Dawes [mailto:discard () dawes za net] 
        Sent: Wed 12/05/2004 13:59 
        To: Griffiths, Ian 
        Cc: Amit Sharma; webappsec () securityfocus com 
        Subject: Phishing

        Make the site name as short as possible, and as obvious as possible,
        reduce confusion. Rather than "www{1,2,3,4,5,6,7,8,9}.encrypt.bank.com",

        try to use something short and simple like "secure.bank.com", and use
        consistently for all servers supporting a particular application. That
        way there is less confusion for users, and less likelihood that a
        scammer will get away with using a slightly different domain name.

Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2

Free, ultra-private instant messaging with Hush Messenger

Promote security and make money with the Hushmail Affiliate Program: 

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]