[94309] in North American Network Operators' Group
Re: Phishing and BGP Blackholing
daemon@ATHENA.MIT.EDU (Travis H.)
Wed Jan 17 20:06:05 2007
Date: Wed, 17 Jan 2007 19:04:09 -0600
From: "Travis H." <travis+ml-nanog@subspacefield.org>
To: nanog@nanog.org
Mail-Followup-To: nanog@nanog.org
In-Reply-To: <87fyasw53h.fsf@mid.deneb.enyo.de>
Errors-To: owner-nanog@merit.edu
--KsGdsel6WgEHnImy
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Wed, Jan 03, 2007 at 03:35:30PM +0100, Florian Weimer wrote:
> SecureID might be helpful if you want to differentiate your product
> between automatic and manual use, but it doesn't do anything to
> authenticate the party you are relaying information to. But it's
> useless in a phishing context. If you want a token solution, at least
> use something that factors in transaction-related data.
And since the whole point of using a token is having an isolated,
presumably more trustworthy environment, then you also would logically
need a display and input device for it. On the
cryptography@metzdowd.com list, there has been some discussion of
this, and also some statements that the login needs to be part of the
"browser chrome" (whatever that is) and not just any old form on an
unprotected HTML page. Furthermore, the current understanding of
marketing departments and customer support is on par with "the lock
icon means it's secure", so even reputable companies like (IIRC) Chase
are sending out emails telling their customers to log in to web sites
with domain names that don't even resemble Chase, essentially training
customers to be phishing victims.
It's clear that the technology has progressed to the point that it is
easier to confuse the user than actually exploit the security systems,
and what we really need now is some leadership from UI designers (say,
Apple) for browser designs and idioms that are intuitively obvious to
the most casual of users. However, that's not exactly hard science and
there isn't much usability research in the security community, because
it's already so recondite.
--=20
``Unthinking respect for authority is the greatest enemy of truth.''
-- Albert Einstein -><- <URL:http://www.subspacefield.org/~travis/>
--KsGdsel6WgEHnImy
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.1 (OpenBSD)
iQIVAwUBRa7HiWQVZZEDJt9HAQJNTA/+LtnH9Ck13Bi3fCXTxrPmLOlzu2sHcabv
NSyVFKLJ7O7d6FIYV392KWoXKL9oFucsYLkJMgeb5o5jzIG/2Kvrq0fQCBZsCQCy
3bFMIjDPzihN4aARnFcC5DUTOhAqEA/1puLxh/bB11+zcB6LxH+APA6LYrqjSQBJ
zxOcCm6IWW+FZsirLxvnfKxn4PsdWeNLZo2d/1lqW2S8+ZksjN7j/sj//p/I+sYo
tXlwmhyrQHfTnsOWcSuXNCgoVZLHfSmsUO2R0VxWyx5PwTnAe6zcHGoaNpPGqeGk
fRyLopcwuef5SGYteOjxg6YA7hOrqvJxH97MYEbXuaFrzMwvNH5i7CeBGN2TmePu
O0PH5/fnGrp+mcy+Hl67C7vShI0z5YyqzISq7c3CNKPGkUUQ/0MqFm8b0XoMs/Xz
fOAqEOHsvAzSWKCSdrq0e/NEV1H7ePHX4YDhPccI9LNl1urrJDrcWDS05gSbSpIo
rzyJVwJw8oAe1aC/mK/pyC0t5RTHgSgpqjmNKg2NdrtV5MJDFi4VO3RgGM869yJd
wFRqjzf06bRbP7BqbHKZmc8mXZMTKRbgZhJ3N4H4sM8GNfnPU9qSrGPgebbrVzDa
Hq6bLiK53ictrACfJBSptaPJHU0W4shTXh7J2GrZjAdWaIA+3gxOY+2w3xrDe8M1
JgZYG0IDbaw=
=Bot5
-----END PGP SIGNATURE-----
--KsGdsel6WgEHnImy--
