Status of SRP
James A. Donald
jamesd at echeque.com
Thu Jun 1 18:55:37 EDT 2006
--
Ka-Ping Yee wrote:
> Passpet's strategy is to customize a button that you
> click. We are used to recognizing toolbar buttons by
> their appearance, so it seems plausible that if the
> button has a custom per-user icon, users are unlikely
> to click on a spoofed button with the wrong icon.
> Unlike other schemes, such as special-looking windows
> or a custom image shown with the login form, this
> strategy requires the user to directly interact with
> the customized UI element.
This seems like a promising tactic, since a first step
in any process is "look for the button". If user does
not see the button, will be troubled, will stop and
think.
Any customization is an effective anti phishing measure:
Observe that eBay resists phishing by starting its
emails by addressing each user by logon name, and Amazon
resists phishing by extensively customizing its web page
to each user - by supplying non cryptographic evidence
of an existing relationship.
--digsig
James A. Donald
6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
O37xiq0aPJeqGc7fQTWWTY85hPPktIPGAwbDifVD
4bDTmZTlI9gWsmLu9xhSdisgc26xogVtQOnIi5/DI
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list