WebApp Sec: Re: Article - A solution to phishing

[Michael Silk <michaelsilk () gmail com>]

Hi Marco,

> Am I missing something here?
 I think so :)

 You mention another "password" in your scheme of changing email
addresses. There is no such password.

 The system might handle an email-change by having the user login, and
then click "change email" where they place the new email address.
Silkbank would then send a confirmation email _to the old_ email
account that needs to be clicked to activate the change. From then on,
the new email address is used.

-- Michael

PS: Typically when you create these online accounts with banks you do
it in-store (at least in Australia).


-----Original Message----- 
From: Marco Aurelio dos Santos [mailto:marco.gs () ig com br] 
Sent: Thu 23/12/2004 5:26 AM 
To: webappsec () securityfocus com 
Cc: 
Subject: Re: Article - A solution to phishing

In-Reply-To: <b841ffed0412092222217e0dc1 () mail gmail com>

Hello Michael, hello everybody

I really think this solution is useful. At least it's original, and
gives us an entirely new range of thinking. But, if you look at it,
it's not so great. A lot of people has already made objections to it,
so here are my two cents: let's think about the Michael Silk's
Internet Banking. The user will have to fill a form with his/her
information at some point, right? I mean, if the bank is going to send
you an e-mail every time you access the Internet Banking system, first
of all it has to have your e-mail address. Ok. So, after six months
using Silk's Internet Banking, I decide to move to another ISP. I need
to inform the Bank about my new e-mail address. I suppose the bank
will have a form at it's web site for this kind of situation. I will
open the appropriate URL, type in username and password and inform my
new e-mail, e.g. marco () silkbank com 

Well, it's a flaw, isn't it? If someone gets THIS password, they can
go to this URL and inform hacker () imabadguy com as the new e-mail
address.

Am I missing something here?



Regards



Marco Aurelio