Thoughts on Phishing
PC Doctor posted an article about image recognition between user and website as an additional form of security to thwart phishing attempts. The image adds a layer of security. For example, a user logs in with a username and password. The user is then presented with an image. This image is a previously agreed upon image that was setup in the users account. Once the image appears, the user verifies that this is the correct image by entering their password again. The user is then taken to their account etc.
Here in the States, Bank of America currently uses this kind of protection on all online bank accounts.
How does this thwart phishing attempts?
The Doc is right in stating any website can be easily copied. One could easily enter in a username and password into a look alike site unaware. With image recognition, the user expects something back from the website. If a user does not receive anything back (the image) or the wrong image, then they know something is wrong.
The Doc also raises the issue of having to move to a token based method of website/user interaction. Email has had certificates available for security use for a long time now. From MS Outlook help:
Digital IDs (certificates) are files that are issued by a certified security authority, such as VeriSign, Inc., or from your Microsoft Exchange Server administrator. Your digital ID is used to verify your signature on digitally signed mail and to send encrypted mail to others. Digital IDs have an expiration date and must be renewed periodically to remain valid. To send an encrypted message over the Internet, both the sender and the receiver must have a valid digital ID.
I am not a security expert, but seems to me a similar system between users and websites could be implemented.
[tags]phishing, security[/tags]
Posted by Paul Flyer on Wednesday, April 12th, 2006 in Security
