[Cryptography] PRISM-Proofing and PRISM-Hardening

d.nix d.nix at comcast.net
Mon Sep 30 21:01:23 EDT 2013

Hash: SHA1

> Found at: 
> <http://www.nytimes.com/2007/02/05/technology/05secure.html?ex=1328331600&en=295ec5d0994b0755&ei=5090&partner=rssuserland&emc=rss>
> To quote from the above:
> The idea is that if customers do not see their [preselected] image,
> they could be at a fraudulent Web site, dummied up to look like
> their bank’s, and should not enter their passwords.
> The Harvard and M.I.T. researchers tested that hypothesis. In 
> October, they brought 67 Bank of America customers in the Boston
> area into a controlled environment and asked them to conduct
> routine online banking activities, like looking up account
> balances. But the researchers had secretly withdrawn the images.
> Of 60 participants who got that far into the study and whose 
> results could be verified, 58 entered passwords anyway. Only two
> chose not to log on, citing security concerns.
> This approach requires the customer to verify the image every log
> on. Conning them by replacing the image with, "Site undergoing 
> maintenance"[1] is fairly easy. With my approach, I would
> authenticate the bank's key once, when I establish an account or
> sign up for online banking. My software would check that
> authentication every time I log on after that. (If the bank decides
> to change it's key every year, I might need a new piece of paper
> every year -- which might get old after a few years.)
>> and http://en.wikipedia.org/wiki/Phishing#cite_note-88 which say 
>> simple things like "show the right image" don't work.
> Found at: 
> <http://web.archive.org/web/20080406062154/http://people.seas.harvard.edu/~rachna/papers/emperor-security-indicators-bank-sitekey-phishing-study.pdf>
It's also worth pointing out that common browser ad blocking / script
blocking / and site redirection add-on's and plugins (NoScript,
AdBlockPlus, Ghostery, etc...) can interfere with the identification
image display. My bank uses this sort of technology and it took me a
while to identify exactly which plug-in was blocking the security
image and then time to sort out an exception rule to not block it.

The point being - end users *will* install plug-ins and extensions
that may interfere with your verification tools.

Version: GnuPG v2.0.20 (MingW32)


More information about the cryptography mailing list