W13 Posted September 30, 2008 Posted September 30, 2008 I used Verified by Visa today, and they have added a new feature: a personalized message. It is supposed to help fight against phishing. The login box asks you to enter your Verified by Visa password, and also shows your "personalized message" (you set this when you register for Verified by Visa). Recently, my forums got phished big time. A replica login page with a similar looking URL caused 100s of people to get hacked. Now, it got me thinking: 1. User clicks "login" on IPB 2. Types in the "user name" 3. Ajax grabs their "personalized message" (which they set during registration) 4. The "personalized message" is shown in a third field called "personalized message" 5. Then, once it is shown, the password field is unlocked (disabled=false) 6. The user is happy to enter their password in a place that knows their "personalized message" If I don't see my personalized message, then I know something is wrong! Also, use GD library (not plain text) to show the personalized message and randomize the name of the image, etc. That way, nobody can just open a hidden iframe with your login page, and remotely grab the personalized message. (they can with PHP, ... but you can block requests from their server... or use some other methods to stop somebody file_get_contents'ing or cURL-ing it)
Lakai. Posted October 1, 2008 Posted October 1, 2008 I say this is a really good idea and should be thought about in the upcoming IPB versions. My bank does the same thing :P
Keith J. Kacin Posted October 1, 2008 Posted October 1, 2008 Now, it got me thinking: 1. User clicks "login" on IPB 2. Types in the "user name" 3. Ajax grabs their "personalized message" (which they set during registration) 4. The "personalized message" is shown in a third field called "personalized message" 5. Then, once it is shown, the password field is unlocked (disabled=false) 6. The user is happy to enter their password in a place that knows their "personalized message" What would stop someone from entering someone else's name, getting their personal message, and then using it on the phishing site they setup?
bfarber Posted October 2, 2008 Posted October 2, 2008 What would stop someone from entering someone else's name, getting their personal message, and then using it on the phishing site they setup? To be quite honest, I saw a technical whitepaper from a hacker recently (last 6 months) where they described a similar, but slightly different, method to accomplish nearly the same thing. They setup a fake Bank of America site, which uses a personalized message + image for anti-phishing purposes. When a user enters their username (as they would at BofA) they used backend processing to call out to the BofA site to actually retrieve the page displaying the image and personalized message. Then they were capable of just showing this on their spoofed page. Don't even need to manually go to the site to do this. If they setup a spoof page, the AJAX call to their server can then use curl or something to call out to the REAL site with the username to get it at runtime. While it's a novel idea, it's definitely not fool proof, and can definitely provide a false sense of security.
.Matt. Posted October 3, 2008 Posted October 3, 2008 Not fool proof. But I'm sure with some hours looking into it(by some of the best developers, like IPS), it can be fool proof.
bfarber Posted October 3, 2008 Posted October 3, 2008 Got any ideas how to do so? I think Bank of America and other sites where security is of the utmost priority (financial institutions, for instance) would be very interested in them too. :) If they're having a hard time figuring out how that can be done, obviously it's a bit trickier than it sounds.
W13 Posted October 3, 2008 Posted October 3, 2008 How about an "Internet User License" - sort of like the "Driver's License" (for cars). Only people that pass it are able to use the Internet. Otherwise, they get a fine.
bfarber Posted October 3, 2008 Posted October 3, 2008 How about an "Internet User License" - sort of like the "Driver's License" (for cars). Only people that pass it are able to use the Internet. Otherwise, they get a fine. :lol: Perhaps an IQ test to go along with it. "Hit any key" "I can't find the any key, where is it on my keyboard?" "I apologize, you fail the internet test"
YounGMessiah Posted October 3, 2008 Posted October 3, 2008 lol ^...good idea but it prolly wouldnt work out..
Jaggi Posted October 4, 2008 Posted October 4, 2008 :lol: Perhaps an IQ test to go along with it. "Hit any key" "I can't find the any key, where is it on my keyboard?" "I apologize, you fail the internet test" ok i failed the test but put me out my misery, wheres the any key?!
henke37 Posted October 5, 2008 Posted October 5, 2008 Here is a simple way: set the message in a cookie. Good luck doing phoney site then!
W13 Posted October 6, 2008 Posted October 6, 2008 Here is a simple way: set the message in a cookie. Good luck doing phoney site then! That's a pretty good idea. However, I think you can still grab cookie info using cURL.
Management Matt Posted October 6, 2008 Management Posted October 6, 2008 You can't use a cookie as they can be deleted. Or if you used another browser the cookie wouldn't be there. Whatever can be used legitimately can almost certainly be used by a hacker.
Amy T Posted October 6, 2008 Posted October 6, 2008 Yep I can not even get into my citi bank account as the site is to secure.
Michael Posted October 6, 2008 Posted October 6, 2008 I hate these sorts of systems because I have multiple websites that use them and I have to pick different images for each. Whenever I have to login (which is only monthly, to pay my bills) I get this image thing and I don't remember if it's the 'right' image for that website. It's just one more thing you need to remember, like the gazillion and one passwords you need to keep track of since sites have different requirements. I have to keep a spreadsheet on my flash drive to keep track of all of them, so the whole point of being secure goes out the window there. Give me something like thumprint or retinal scan login systems, at least until they get beaten too. :lol:
Amy T Posted October 6, 2008 Posted October 6, 2008 Genetic scanners would be cool but then again identical twins would get into each others accounts.
TrixieTang Posted October 7, 2008 Posted October 7, 2008 I think what should be asked is... "How many times have you seen a phishing scheme involving a forum?" Personally it's 0 times, and cases of this happening would certainly be rare considering most people are after money, not forum accounts. I don't think it has much benefit really... just a feature that adds security against something that would be EXTREMELY rare, and preventable by just making sure it's the correct domain.
Management Matt Posted October 7, 2008 Management Posted October 7, 2008 My bank has actually sent out little ATM card readers that you must use to transfer money. You stick in your card. Tap in your pin. It then asks you for an amount, then it asks you to enter the key string shown on the transfers page (which is unique to that transaction). It then produces an 8 digit code which you enter into a box on the page and if all is correct, it lets you proceed. It's highly annoying but probably (quite) secure.
Jaggi Posted October 7, 2008 Posted October 7, 2008 My bank has actually sent out little ATM card readers that you must use to transfer money. You stick in your card. Tap in your pin. It then asks you for an amount, then it asks you to enter the key string shown on the transfers page (which is unique to that transaction). It then produces an 8 digit code which you enter into a box on the page and if all is correct, it lets you proceed. It's highly annoying but probably (quite) secure. we don't have as much money as you matt so our banks don't send us theses :P.
Amy T Posted October 7, 2008 Posted October 7, 2008 My bank has actually sent out little ATM card readers that you must use to transfer money. You stick in your card. Tap in your pin. It then asks you for an amount, then it asks you to enter the key string shown on the transfers page (which is unique to that transaction). It then produces an 8 digit code which you enter into a box on the page and if all is correct, it lets you proceed. It's highly annoying but probably (quite) secure. ATM machines are hard to find around here but I can get a bank card but they will charge me $5 a month for it.
Guest Posted October 7, 2008 Posted October 7, 2008 we don't have as much money as you matt so our banks don't send us theses :P. I have two. ;) Natwest sent them to every customer, I'd consider Natwest a fairly standard every day bank! That said, the day I have to use one of those to log into a forum is the day I stop using forums. :lol:
Jaggi Posted October 7, 2008 Posted October 7, 2008 I have two. ;) Natwest sent them to every customer, I'd consider Natwest a fairly standard every day bank! That said, the day I have to use one of those to log into a forum is the day I stop using forums. :lol: gimme one and your cc so i can see if it works :D. Its a cool thing and you still don't have as much money as matt :P.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.