WebApp Sec: Re: Article - A solution to phishing

[Joseph Miller <joseph () tidetamerboatlifts com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Michael, I have to give you kudos for working on a solution.  However, I have 
to say that you solution stinks.  We definitely need more creativity and 
ideas to fix this and I think that you have been creative but not worked with 
the reality of the situation. Users will fight for simplicity, even if it 
exposes them to losing thousands of dollars.  And as you said, the emails 
would not be encrypted.  Any sysadmin or hacker who could break into a 
vulnerable email server has access to the emails and those passwords.  
Obviously, it would not be long before the hacker would be stopped, but he 
doesn't have to get but one account if he knows which one, right?  Each 
website may choose its own method of password creation, even though you 
specifically stated that they should choose good passwords, they might choose 
a crappy incremental scheme anyways and circumvent the whole process.  There 
are simply too many steps, each of which could fail and be disastrous.  But 
keep thinking, one day we will have a half-solution to the problem.  I don't 
believe that it can ever be completely fixed.  99.9% of humans live by 
perception, and that is what phishing thrives on.

- -Joseph Miller

On Monday 22 November 2004 10:40 pm, Michael Silk wrote:
> Hi,
>
>     Just a quick little article about a login system that, should (i
> think :)), prevent phishing attempts on your site.
>
>
> http://michaelsilk.blogspot.com/2004/11/article-solution-to-phishing.htm
> l
>
>     Have a look at it and let me know what you think ... and apologies
> to anyone if an idea like this is already out there :)
>
> -- Michael
>
>
> **********************************************************************
> This email message and accompanying data may contain information that is
> confidential and/or subject to legal privilege. If you are not the intended
> recipient, you are notified that any use, dissemination, distribution or
> copying of this message or data is prohibited. If you have received this
> email message in error, please notify us immediately and erase all copies
> of this message and attachments.
>
> This email is for your convenience only, you should not rely on any
> information contained herein for contractual or legal purposes. You should
> only rely on information and/or instructions in writing and on company
> letterhead signed by authorised persons.
> **********************************************************************
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBprWXmXZROF+EADURAmqhAJ43mQxv3dTmsQZz6fgoSL8m1INdLwCeOOgi
Tgjx+UKNzYWN406YQwEC+HE=
=N++X
-----END PGP SIGNATURE-----