Comments on: Simple way to avoid fake website logins http://www.jeffpickell.com/security/simple-way-to-avoid-fake-website-logins/ Ponderings of things that go "Ping!" by Jeff Pickell Wed, 18 Feb 2009 21:51:39 +0000 http://wordpress.org/?v=2.8.5 hourly 1 By: Jeff http://www.jeffpickell.com/security/simple-way-to-avoid-fake-website-logins/comment-page-1/#comment-116 Jeff Mon, 02 Feb 2009 03:08:50 +0000 http://www.vxrs.com/?p=54#comment-116 Jennifer, What kind of details are you looking for? Are you referring to the previous comment by Antonio, or on the post itself? Jennifer, What kind of details are you looking for? Are you referring to the previous comment by Antonio, or on the post itself?

]]> By: Jennifer Manson http://www.jeffpickell.com/security/simple-way-to-avoid-fake-website-logins/comment-page-1/#comment-115 Jennifer Manson Mon, 02 Feb 2009 02:51:04 +0000 http://www.vxrs.com/?p=54#comment-115 I will appreciate if you provide more details on this. Thanks. I will appreciate if you provide more details on this. Thanks.

]]> By: Antonio http://www.jeffpickell.com/security/simple-way-to-avoid-fake-website-logins/comment-page-1/#comment-83 Antonio Thu, 18 Sep 2008 18:53:31 +0000 http://www.vxrs.com/?p=54#comment-83 This is a stupid idea. If the phishing site uses the credentials given it to log in to the real bank site in real time - it _can_ verify whether or not the credentials entered are valid. And we've seen sites doing exactly this for years now. Sure this may work on some of the less advanced phishing sites but this is not good advice overall. Want the real answer? How about opening up a second tab/window and typing in the bank's website address by hand. Won't help WRT DNS poisoning or other MiTM attacks but will prevent the entire class of obfuscation/redirection tricks. This is a stupid idea. If the phishing site uses the credentials given it to log in to the real bank site in real time – it _can_ verify whether or not the credentials entered are valid. And we’ve seen sites doing exactly this for years now. Sure this may work on some of the less advanced phishing sites but this is not good advice overall.

Want the real answer? How about opening up a second tab/window and typing in the bank’s website address by hand. Won’t help WRT DNS poisoning or other MiTM attacks but will prevent the entire class of obfuscation/redirection tricks.

]]> By: Jeff http://www.jeffpickell.com/security/simple-way-to-avoid-fake-website-logins/comment-page-1/#comment-81 Jeff Thu, 18 Sep 2008 14:02:10 +0000 http://www.vxrs.com/?p=54#comment-81 Shh! Don't tell the bad guys! Well, the easiest thing to do would be to up the ante a bit on our end and just enter two bad passwords, then the good one. Obviously this doesn't scale very well and eventually the phishers could just take the initial credentials and perform their own authentication against the legitimate site to verify whether or not their correct. That would be the easiest way to foil this little anti-phishing scheme. So what is a robust, scalable solution that provides authentication of both the sender and reciever? How about SSL? What about single use passwords? Before you start thinking that these are foolproof, allow me to introduce you to Dan Kaminsky and his work on DNS cache poisoning: https://www.blackhat.com/presentations/bh-usa-08/Kaminsky/08_bhb_od2_slides.m4v Shh! Don’t tell the bad guys!

Well, the easiest thing to do would be to up the ante a bit on our end and just enter two bad passwords, then the good one. Obviously this doesn’t scale very well and eventually the phishers could just take the initial credentials and perform their own authentication against the legitimate site to verify whether or not their correct. That would be the easiest way to foil this little anti-phishing scheme.

So what is a robust, scalable solution that provides authentication of both the sender and reciever? How about SSL? What about single use passwords? Before you start thinking that these are foolproof, allow me to introduce you to Dan Kaminsky and his work on DNS cache poisoning: https://www.blackhat.com/presentations/bh-usa-08/Kaminsky/08_bhb_od2_slides.m4v

]]> By: Manny http://www.jeffpickell.com/security/simple-way-to-avoid-fake-website-logins/comment-page-1/#comment-80 Manny Thu, 18 Sep 2008 10:15:09 +0000 http://www.vxrs.com/?p=54#comment-80 Something I thought of this morning, though... If this catches on big enough, the phishers could have the form reject first then accept the second time. Something I thought of this morning, though… If this catches on big enough, the phishers could have the form reject first then accept the second time.

]]> By: Jeff http://www.jeffpickell.com/security/simple-way-to-avoid-fake-website-logins/comment-page-1/#comment-77 Jeff Wed, 17 Sep 2008 19:34:03 +0000 http://www.vxrs.com/?p=54#comment-77 If it has been broadcast before, I haven't heard it until today... Maybe there's a flaw in the logic somewhere that somebody can point out, but as of now I'm telling everyone I know! I think that maybe it's one of those things that are so simple, we tend to overlook them. If it has been broadcast before, I haven’t heard it until today… Maybe there’s a flaw in the logic somewhere that somebody can point out, but as of now I’m telling everyone I know!

I think that maybe it’s one of those things that are so simple, we tend to overlook them.

]]> By: Manny http://www.jeffpickell.com/security/simple-way-to-avoid-fake-website-logins/comment-page-1/#comment-76 Manny Wed, 17 Sep 2008 19:31:33 +0000 http://www.vxrs.com/?p=54#comment-76 Nice. It's so simplistic and seems fail safe. Wonder why it hasn't been broadcast more than it has? (Or has it? ;) ) Nice. It’s so simplistic and seems fail safe. Wonder why it hasn’t been broadcast more than it has? (Or has it? ;) )

]]>