Simon Willison’s Weblog


52 items tagged “phishing”

2008 Yahoo!’s human readable guide to OpenID, complete with tour. It looks like they’re relying on the “sign-in seal” to protect against phishing. # 17th January 2008, 2:35 pm


Why Virtual Theft Should Matter to Real Life Tech Companies. Interesting trend: sites that profit from sales of virtual goods (such as Habbo Hotel) are seeing users use phishing attacks to steal those goods from each other. # 18th November 2007, 11:21 am

MyOpenID adds Information Card Support. First client SSL certificates, now Information Cards. MyOpenID is certainly taking browser-based phishing solutions seriously. # 18th October 2007, 9:10 pm

The password anti-pattern. What I don’t understand is why Google / Yahoo! / other webmail providers haven’t just deployed a simple OAuth-style API for accessing the address book. Sites have been scraping them for years anyway; surely it’s better to offer an official API than continue to see users hand out their passwords? # 12th October 2007, 9:25 am

Cronto. I saw a demo of this the other day—it’s a neat anti-phishing scheme that also protects against man in the middle attacks. It works using challenge/response: an image is shown which embeds a signed transaction code; the user then uses an application on their laptop or mobile phone to decode the image and enters the resulting code back in to the online application. # 2nd October 2007, 1:14 am

Designing for a security breach

User account breaches are inevitable. We should take that in to account when designing our applications.

[... 545 words]

A typical phishing email will have a generic greeting, such as ’Dear User’. Note: All PayPal emails will greet you by your first and last name.

PayPal's Phishing Guide # 22nd September 2007, 2:33 pm

Beginner’s guide to OpenID phishing (via) Excellent primer on the phishing problem, which concludes that phishing can only be solved by moving away from usernames and passwords entirely. # 23rd March 2007, 9:22 pm

What is OpenID Good For? Dare Obasanjo provides some smart responses to Tim Bray’s criticisms of OpenID, including a good angle on the phishing problem. # 14th March 2007, 10:12 am Use your Yahoo! account as an OpenID

In an ideal world, some or all of the sites with large user databases (Yahoo!, AOL, Google, Amazon and so on) would act as OpenID providers, allowing their users to sign in to OpenID supporting sites around the Web. Until that happens, people who want to use OpenID need to sign up for Yet Another Account to do so.

[... 414 words]

MySpace Allegedly Kills Computer Security Website. No need for the allegedly; it’s been confirmed. MySpace got to redirect DNS for after a list of phished user accounts posted to the full disclosure mailing list list was archived there. # 26th January 2007, 9:57 am

MyOpenID: New anti-phishing tools available. Includes SafeSignIn, which removes the login form from the landing page. You have to enable it in your preferences though. # 24th January 2007, 3:02 pm

We have a unique opportunity with phishing and OpenID. OpenID can make the possibility for bad things to happen from phishing that much worse. However, having an OpenID means you create a more intimate relationship with your OpenID provider. You go there everyday. You will more likely know when something is wrong.

Scott Kveton # 24th January 2007, 3:02 pm

Phishing and OpenID: Bookmarks to the Rescue? Ping extends my proposal to use bookmarks as the principle authentication mechanism, resulting in a system that is much easier for people to understand. # 21st January 2007, 1:36 am

XMPP OpenID server. An OpenID provider that sends you a Jabber message when you try to log in, to help guard against phishing. # 20th January 2007, 11:24 pm

I can also sum things up for you even more succinctly:
—users are task oriented, driving to complete the goal the
quickest way possible
—users pay more attention to the content area than the browser chrome
—users don’t understand how easy it is to spoof a website

Mike Beltzner # 19th January 2007, 5:33 pm

Links to academic papers on phishing. Posted to the openid-general list by Mike Beltzner. # 19th January 2007, 5:32 pm

Solving the OpenID phishing problem

Most of the arguments I hear against OpenID are based on mis-understandings of the specification, but there is one that can’t be ignored: OpenID is extremely vulnerable to phishing.

[... 531 words]

Why don’t we have a .bank or .bank.country_code TLD that’s regulated by the same people that regulate the banks themselves?

Dean Wilson # 7th January 2007, 10:22 pm


Real-World Passwords. Random passwords phished from MySpace are surprisingly decent. # 14th December 2006, 2:14 pm Trojaned Navigation Menu. Replace the “Home” link with a link to a phishing page. # 8th December 2006, 4:41 pm


Internet Explorer 7. It’s been announced, but the stated focus is security and anti-phishing. No news on improved CSS. # 15th February 2005, 7:04 pm