Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Article - A solution to phishing

from [Michael Silk] Network Security [Permanent Link]
Subject: Re: Article - A solution to phishing
Date: Fri, 26 Nov 2004 10:02:19 +1100 
Hi Saqib,

 Thanks :)

 You're right; if the customer can't access their email they can't
access their bank. However, it is not neccessarily a big problem
though, is it ?

 Most banks offer other mechanisms to access your account - phone
banking, etc, so if it is an absolute emergency you can use their
backup system.

 Also, I would suggest that, unless something goes seriously wrong
with your email provider, it will always be available when you are on
the internet ... Outlook provides a WebAccess system and I imagine the
other big ones would do the same.

 I think the most critical issue to deal with if you implemented it
would be the _securing_ your email system. The easiest way to do it is
encrypt the emails. And to make it easy for users to make use of it,
the email providers would need to integrate it or the banks/etc would
need to provide tools that linked in to perform the decryption.

 This way the user would only need to remember their general
pass-phrase to utilise their private key to decrypt these emails.

-- Michael




-----Original Message-----
From: Saqib.N.Ali@seagate.com [mailto:Saqib.N.Ali@seagate.com] 
Sent: Friday, 26 November 2004 9:11 AM
To: Michael Silk
Cc: webappsec@securityfocus.com
Subject: Re: Article - A solution to phishing

Hello Michael,

Interesting article, and well-written.

The technique you are proposing is very similar to assigning a RSA
SecureID to each of the banc customer. Except in this case the
customer doesn't hold the physical SecureID, instead he/she is sent
the auto-generated number.

One major problem of these kind of systems is that, they are dependent
on 3rd party service being available whenever the customer wants to
access the banc. In this case the 3rd party service is the customer's
personal email provider, which may not be available all the time.

RSA SecureID has the same problem, i.e. what if the customer loses
his/her SecureID and is at a remote location where he/she can not
physically go to banc branch.

Thanks.
Saqib Ali
http://validate.sf.net





"Michael Silk" <michaels@phg.com.au>
No Phone Info Available
11/22/2004 07:40 PM

To
<webappsec@securityfocus.com>
cc

Subject
Article - A solution to phishing






Hi,
 
    Just a quick little article about a login system that, should (i
think :)), prevent phishing attempts on your site.
 
 
http://michaelsilk.blogspot.com/2004/11/article-solution-to-phishing.htm
l
 
    Have a look at it and let me know what you think ... and apologies
to anyone if an idea like this is already out there :)
 
-- Michael
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Article - A solution to phishing, Saqib . N . Ali
Next by Date:  RE: Article - A solution to phishing, Robin Balean
Previous by Thread:  RE: Article - A solution to phishing, Damhuis Anton
Next by Thread:  RE: Article - A solution to phishing, Robin Balean
Indexes:  [Date] [Thread] [Top] [All Lists]