Hi Marco,
Am I missing something here?
I think so :)
You mention another "password" in your scheme of changing email
addresses. There is no such password.
The system might handle an email-change by having the user login, and
then click "change email" where they place the new email address.
Silkbank would then send a confirmation email _to the old_ email
account that needs to be clicked to activate the change. From then on,
the new email address is used.
-- Michael
PS: Typically when you create these online accounts with banks you do
it in-store (at least in Australia).
-----Original Message-----
From: Marco Aurelio dos Santos [mailto:marco.gs@ig.com.br]
Sent: Thu 23/12/2004 5:26 AM
To: webappsec@securityfocus.com
Cc:
Subject: Re: Article - A solution to phishing
In-Reply-To: <b841ffed0412092222217e0dc1@mail.gmail.com>
Hello Michael, hello everybody
I really think this solution is useful. At least it's original, and
gives us an entirely new range of thinking. But, if you look at it,
it's not so great. A lot of people has already made objections to it,
so here are my two cents: let's think about the Michael Silk's
Internet Banking. The user will have to fill a form with his/her
information at some point, right? I mean, if the bank is going to send
you an e-mail every time you access the Internet Banking system, first
of all it has to have your e-mail address. Ok. So, after six months
using Silk's Internet Banking, I decide to move to another ISP. I need
to inform the Bank about my new e-mail address. I suppose the bank
will have a form at it's web site for this kind of situation. I will
open the appropriate URL, type in username and password and inform my
new e-mail, e.g. marco@silkbank.com.
Well, it's a flaw, isn't it? If someone gets THIS password, they can
go to this URL and inform hacker@imabadguy.com as the new e-mail
address.
Am I missing something here?
Regards
Marco Aurelio
