[73245] in North American Network Operators' Group
Re: Phishing (Was Re: WashingtonPost computer security stories)
daemon@ATHENA.MIT.EDU (Michael.Dillon@radianz.com)
Tue Aug 17 09:17:59 2004
In-Reply-To: <200408171205.IAA30140@sigma.nrk.com>
To: nanog@merit.edu
From: Michael.Dillon@radianz.com
Date: Tue, 17 Aug 2004 14:13:26 +0100
Errors-To: owner-nanog-outgoing@merit.edu
> I wonder if the banks have ever considered how they have
> contributed to the problem. If their pages were straight
> up, no pop-up's, no JavaVirus, etc.... it would be far easier
> to tell their customers:
>
> ==============================================================
> Here is what our page looks like:
> But of course, that would not be glitzy enough....
My bank does pretty much what you suggest. Have a look here
https://ibank.barclays.co.uk/fp/1_2c/online/1,26806,logon,00.html
and if that link has timed out or something, just go here
https://ibank.barclays.co.uk/
and click the Log-in button.
Barclays also uses a "memorable word" in addition to
the PIN code. They repeatedly tell us that no-one
from Barclays will ever ask us to reveal this
memorable word. It's only use is for a simple
challenge-response where the website asks for
two specific letters from the word and we select
them from drop-down boxes to defeat keyloggers.
Nice example of layered security that keeps the
criminals snapping at the heels of the guy next
door, i.e. CitiBank et al.
--Michael Dillon
