52 items tagged “phishing”
Why Virtual Theft Should Matter to Real Life Tech Companies. Interesting trend: sites that profit from sales of virtual goods (such as Habbo Hotel) are seeing users use phishing attacks to steal those goods from each other. # 18th November 2007, 11:21 am
The password anti-pattern. What I don’t understand is why Google / Yahoo! / other webmail providers haven’t just deployed a simple OAuth-style API for accessing the address book. Sites have been scraping them for years anyway; surely it’s better to offer an official API than continue to see users hand out their passwords? # 12th October 2007, 9:25 am
Cronto. I saw a demo of this the other day—it’s a neat anti-phishing scheme that also protects against man in the middle attacks. It works using challenge/response: an image is shown which embeds a signed transaction code; the user then uses an application on their laptop or mobile phone to decode the image and enters the resulting code back in to the online application. # 2nd October 2007, 1:14 am
User account breaches are inevitable. We should take that in to account when designing our applications.[... 545 words]
A typical phishing email will have a generic greeting, such as ’Dear User’. Note: All PayPal emails will greet you by your first and last name.
Beginner’s guide to OpenID phishing (via) Excellent primer on the phishing problem, which concludes that phishing can only be solved by moving away from usernames and passwords entirely. # 23rd March 2007, 9:22 pm
In an ideal world, some or all of the sites with large user databases (Yahoo!, AOL, Google, Amazon and so on) would act as OpenID providers, allowing their users to sign in to OpenID supporting sites around the Web. Until that happens, people who want to use OpenID need to sign up for Yet Another Account to do so.[... 414 words]
MySpace Allegedly Kills Computer Security Website. No need for the allegedly; it’s been confirmed. MySpace got GoDaddy.com to redirect DNS for seclists.org after a list of phished user accounts posted to the full disclosure mailing list list was archived there. # 26th January 2007, 9:57 am
We have a unique opportunity with phishing and OpenID. OpenID can make the possibility for bad things to happen from phishing that much worse. However, having an OpenID means you create a more intimate relationship with your OpenID provider. You go there everyday. You will more likely know when something is wrong.
Phishing and OpenID: Bookmarks to the Rescue? Ping extends my proposal to use bookmarks as the principle authentication mechanism, resulting in a system that is much easier for people to understand. # 21st January 2007, 1:36 am
I can also sum things up for you even more succinctly: —users are task oriented, driving to complete the goal the quickest way possible —users pay more attention to the content area than the browser chrome —users don’t understand how easy it is to spoof a website
Most of the arguments I hear against OpenID are based on mis-understandings of the specification, but there is one that can’t be ignored: OpenID is extremely vulnerable to phishing.[... 531 words]
Why don’t we have a .bank or .bank.country_code TLD that’s regulated by the same people that regulate the banks themselves?