Jump to content

[suggestion] Anti-Phishing for login system: personalized message


Guest W13

Recommended Posts

Posted

I used Verified by Visa today, and they have added a new feature: a personalized message.

It is supposed to help fight against phishing. The login box asks you to enter your Verified by Visa password, and also shows your "personalized message" (you set this when you register for Verified by Visa).

Recently, my forums got phished big time. A replica login page with a similar looking URL caused 100s of people to get hacked.

Now, it got me thinking:

1. User clicks "login" on IPB
2. Types in the "user name"
3. Ajax grabs their "personalized message" (which they set during registration)
4. The "personalized message" is shown in a third field called "personalized message"
5. Then, once it is shown, the password field is unlocked (disabled=false)
6. The user is happy to enter their password in a place that knows their "personalized message"

bfi1222788704g.jpg

If I don't see my personalized message, then I know something is wrong!

Also, use GD library (not plain text) to show the personalized message and randomize the name of the image, etc. That way, nobody can just open a hidden iframe with your login page, and remotely grab the personalized message. (they can with PHP, ... but you can block requests from their server... or use some other methods to stop somebody file_get_contents'ing or cURL-ing it)

Posted

Now, it got me thinking:



1. User clicks "login" on IPB


2. Types in the "user name"


3. Ajax grabs their "personalized message" (which they set during registration)


4. The "personalized message" is shown in a third field called "personalized message"


5. Then, once it is shown, the password field is unlocked (disabled=false)


6. The user is happy to enter their password in a place that knows their "personalized message"



What would stop someone from entering someone else's name, getting their personal message, and then using it on the phishing site they setup?
Posted

What would stop someone from entering someone else's name, getting their personal message, and then using it on the phishing site they setup?



To be quite honest, I saw a technical whitepaper from a hacker recently (last 6 months) where they described a similar, but slightly different, method to accomplish nearly the same thing.

They setup a fake Bank of America site, which uses a personalized message + image for anti-phishing purposes.

When a user enters their username (as they would at BofA) they used backend processing to call out to the BofA site to actually retrieve the page displaying the image and personalized message. Then they were capable of just showing this on their spoofed page.

Don't even need to manually go to the site to do this. If they setup a spoof page, the AJAX call to their server can then use curl or something to call out to the REAL site with the username to get it at runtime.

While it's a novel idea, it's definitely not fool proof, and can definitely provide a false sense of security.
Posted

Got any ideas how to do so? I think Bank of America and other sites where security is of the utmost priority (financial institutions, for instance) would be very interested in them too. :) If they're having a hard time figuring out how that can be done, obviously it's a bit trickier than it sounds.

Posted

How about an "Internet User License" - sort of like the "Driver's License" (for cars).

Only people that pass it are able to use the Internet. Otherwise, they get a fine.

Posted

How about an "Internet User License" - sort of like the "Driver's License" (for cars).



Only people that pass it are able to use the Internet. Otherwise, they get a fine.



:lol: Perhaps an IQ test to go along with it.

"Hit any key"
"I can't find the any key, where is it on my keyboard?"
"I apologize, you fail the internet test"
Posted

:lol: Perhaps an IQ test to go along with it.



"Hit any key"


"I can't find the any key, where is it on my keyboard?"


"I apologize, you fail the internet test"



ok i failed the test but put me out my misery, wheres the any key?!
Posted

Here is a simple way: set the message in a cookie. Good luck doing phoney site then!



That's a pretty good idea.

However, I think you can still grab cookie info using cURL.
  • Management
Posted

You can't use a cookie as they can be deleted. Or if you used another browser the cookie wouldn't be there.

Whatever can be used legitimately can almost certainly be used by a hacker.

Posted

I hate these sorts of systems because I have multiple websites that use them and I have to pick different images for each. Whenever I have to login (which is only monthly, to pay my bills) I get this image thing and I don't remember if it's the 'right' image for that website.

It's just one more thing you need to remember, like the gazillion and one passwords you need to keep track of since sites have different requirements. I have to keep a spreadsheet on my flash drive to keep track of all of them, so the whole point of being secure goes out the window there.

Give me something like thumprint or retinal scan login systems, at least until they get beaten too. :lol:

Posted

I think what should be asked is...

"How many times have you seen a phishing scheme involving a forum?"

Personally it's 0 times, and cases of this happening would certainly be rare considering most people are after money, not forum accounts.

I don't think it has much benefit really... just a feature that adds security against something that would be EXTREMELY rare, and preventable by just making sure it's the correct domain.

  • Management
Posted

My bank has actually sent out little ATM card readers that you must use to transfer money.

You stick in your card. Tap in your pin. It then asks you for an amount, then it asks you to enter the key string shown on the transfers page (which is unique to that transaction). It then produces an 8 digit code which you enter into a box on the page and if all is correct, it lets you proceed.

It's highly annoying but probably (quite) secure.

Posted

My bank has actually sent out little ATM card readers that you must use to transfer money.



You stick in your card. Tap in your pin. It then asks you for an amount, then it asks you to enter the key string shown on the transfers page (which is unique to that transaction). It then produces an 8 digit code which you enter into a box on the page and if all is correct, it lets you proceed.



It's highly annoying but probably (quite) secure.



we don't have as much money as you matt so our banks don't send us theses :P.
Posted

My bank has actually sent out little ATM card readers that you must use to transfer money.



You stick in your card. Tap in your pin. It then asks you for an amount, then it asks you to enter the key string shown on the transfers page (which is unique to that transaction). It then produces an 8 digit code which you enter into a box on the page and if all is correct, it lets you proceed.



It's highly annoying but probably (quite) secure.


ATM machines are hard to find around here but I can get a bank card but they will charge me $5 a month for it.
Posted

we don't have as much money as you matt so our banks don't send us theses :P.



I have two. ;)

Natwest sent them to every customer, I'd consider Natwest a fairly standard every day bank!

That said, the day I have to use one of those to log into a forum is the day I stop using forums. :lol:
Posted

I have two. ;)



Natwest sent them to every customer, I'd consider Natwest a fairly standard every day bank!



That said, the day I have to use one of those to log into a forum is the day I stop using forums. :lol:



gimme one and your cc so i can see if it works :D. Its a cool thing and you still don't have as much money as matt :P.

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...