US Banks: Training the next generation of phishing victims

[Amir Herzberg]

I probably wasted more time than anybody on this crazy topic, and in 
particular:
1. I keep `Hall of Shame` site of such unprotected login pages (even got 
me a DigiCrime title:  Inter-Net Fraud League Commissioner!)
2. With others, we develop TrustBar, an improved security indicator 
toolbar for FireFox, which also tries to protect users of unprotected 
login pages, e.g. by automatically redirecting to protected pages when 
found.

Some results/observations:
1. Few companies that had a dialog with me said their marketing/site 
design folks insist on login via the homepage, claiming this is so much 
better for consumers compared to a separate login page. I see this as a 
very very extreme case of `usability beats security`.
2. Same companies also claimed that using SSL on homepage is too much 
overhead. Extreme case of `performance beats security`.
3. One company responded (to my warning of their unprotected login and 
the fact I'm going to add them to `hall of shame`) by legal threats. 
Typical case of `pay lawyers a lot, to avoid doing things right`.
4. One company sent me coupons for free trades. Rare example, I'm afraid...

-- 
Best regards,

Amir Herzberg

Associate Professor
Department of Computer Science
Bar Ilan University
http://AmirHerzberg.com
Try TrustBar - improved browser security UI: 
http://AmirHerzberg.com/TrustBar
Visit my Hall Of Shame of Unprotected Login pages: 
http://AmirHerzberg.com/shame

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com