once more, with feeling.

James A. Donald jamesd at echeque.com
Tue Sep 23 13:15:47 EDT 2008


Peter Gutmann wrote:
> The problem is that the default has always been to be insecure, and there's no
> effective way to get people to move to the secure non-default, or at least
> none that isn't relatively easily circumvented by a bit of creative thinking
> and/or social engineering. 

If the user is used to logging in by a user interface that is not easy 
for forge remotely - click on bookmark to bring up a user interface that 
is difficult to remotely forge - then this does indeed work.

There is always the give-your-password-over-the-phone attack, but the 
fact that phishers seeking WoW gold actually have to use the 
give-your-password-over-the-phone attack against WoW players shows the 
potency of a deliberately non standard, difficult to forge, user interface.

WoW security does not stop phishing, but it makes phishers work for 
their money. WoW keeps telling users "never give your password to 
another person, no one at WoW will ever ask you for your password". 
Obvious advice, easy to understand and follow.



---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list