From: Alex (incidentsalex.gotdns.org)
Date: Thu Apr 28 2005 - 10:45:34 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Dude,

Under your scheme, Phishers would only need to spoof an "unblock" email to
the user.

How many users are actually going to invent a NEW password and a NEW 3rd
item? They are just going to re-enter their current ones and give these to
the Phisher.

Most people don't even bother making unique passwords for each service.

It's still not clear what the utility of the 3rd field is -- seems
equivalent to a longer password.

-

I think a better way to stop phishing is simple education. People are used
to verifying physical ID (i.e. Driver's license) for many types of
transactions (bank, apartment lease, etc). They need to get used to
verifying SSL certificates for login webpages.

-Alex

>
> ok mr. moderator...
>
> i think the real problem to phishing exists is the weak process of login
> systems
> today...
>
> anyone just needs a login and password, to be authenticated, i think web
> aplications needs to change login systems... to be more tight... and the
> phishers maybe loose there hope to grep information very easy with just a
> username and password...
>
> my idea and solution to a new login system is this...
>
> creating a 3rd field, this 3rd field the user will choose... it will work
> like
> saying yes this is the real bank system welcome back mr. user insert your
> password...
>
> the process...
>
> 1rst page
> user -> puts the username...
>
> second page..
>
> 3rd field -> what is your cat name? now the user knows that this was the
> question that he have put int the 3rdfield from the real bank site (he can
> put
> what he want)...
> password ?? -> user puts the password.. he is athenticated.
>
> now the phishers they have more work, needs two process to gain access to
> the
> bank user account...
>
> first they need to colect the username to get the 3rd field... and they
> need to
> put the 3rdfield in the false website... to get the password... but this
> is the
> deal...
>
> when a user or anyone, puts the username in this login system needs to
> proceed
> with a password, if not, if the user close the browser, if he tries 3times
> and
> can't login, the system will block the username and send a email to the
> real
> user, a code to unblock the username and force the user to change the
> username
> and 3rd field... and now the phishers don't know again what will be the
> new
> username and 3rdfield...
>
> this system, is nothing from other planet and i think that help a lot the
> users,
> and will stop a litle or a big % this phisher mans...
>
>
> regards
> Nuno Costa

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]