[Cryptography] PRISM-Proofing and PRISM-Hardening
d.nix at comcast.net
Mon Sep 30 21:01:23 EDT 2013
-----BEGIN PGP SIGNED MESSAGE-----
> Found at:
> To quote from the above:
> The idea is that if customers do not see their [preselected] image,
> they could be at a fraudulent Web site, dummied up to look like
> their bank’s, and should not enter their passwords.
> The Harvard and M.I.T. researchers tested that hypothesis. In
> October, they brought 67 Bank of America customers in the Boston
> area into a controlled environment and asked them to conduct
> routine online banking activities, like looking up account
> balances. But the researchers had secretly withdrawn the images.
> Of 60 participants who got that far into the study and whose
> results could be verified, 58 entered passwords anyway. Only two
> chose not to log on, citing security concerns.
> This approach requires the customer to verify the image every log
> on. Conning them by replacing the image with, "Site undergoing
> maintenance" is fairly easy. With my approach, I would
> authenticate the bank's key once, when I establish an account or
> sign up for online banking. My software would check that
> authentication every time I log on after that. (If the bank decides
> to change it's key every year, I might need a new piece of paper
> every year -- which might get old after a few years.)
>> and http://en.wikipedia.org/wiki/Phishing#cite_note-88 which say
>> simple things like "show the right image" don't work.
> Found at:
It's also worth pointing out that common browser ad blocking / script
blocking / and site redirection add-on's and plugins (NoScript,
AdBlockPlus, Ghostery, etc...) can interfere with the identification
image display. My bank uses this sort of technology and it took me a
while to identify exactly which plug-in was blocking the security
image and then time to sort out an exception rule to not block it.
The point being - end users *will* install plug-ins and extensions
that may interfere with your verification tools.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.20 (MingW32)
-----END PGP SIGNATURE-----
More information about the cryptography