Comments on: Fighting phishing with counter-passwords

By: dieter.ca/blog » Blog Archive » Links, Week 41/05

dieter.ca/blog » Blog Archive » Links, Week 41/05 — Thu, 27 Apr 2006 20:09:25 +0000

[...] An interesting counter-phishing idea. [...]

By: Dougal Campbell

Dougal Campbell — Fri, 14 Oct 2005 21:31:50 +0000

Several sites I deal with already do something along these lines. For example, many banks and credit card companies will start the messages with something like “This message is in regard to your account ending with 9876″. And some other sites will include your full name and/or login name. Which may or may not be useful, depending on how public that information is on that particular site (or in general).

By: Saltation

Saltation — Fri, 14 Oct 2005 13:55:26 +0000

gads, someone who knows what “shibboleth” means

By: bhiv

bhiv — Thu, 13 Oct 2005 20:40:47 +0000

How about entering a serious of gibberish into the phisher’s database? This way, when they try out their database the institution (say paypal.com) can notice that there are many failed logins from them? Or even automate it (amavis flags phishing attempts)

By: Bill Seitz

Bill Seitz — Thu, 13 Oct 2005 19:26:08 +0000

Wouldn't it be simpler to generate a custom From address which you could add to your AddressBook/WhiteList? Of course, you have to worry about having multiple computers with unsynched WhiteLists...

Then of course there's the custom RSS feed to get you to subscribe to...

By: Matt Brubeck

Matt Brubeck — Thu, 13 Oct 2005 18:53:20 +0000

This has the Simon Says problem: It requires users to notice when something is not present. For the same reason that users don't notice the absense of the SSL "lock" icon, they won't notice the absence of the counter-password or passmark or whatever -- at least not enough of the time.

By: Nick

Nick — Thu, 13 Oct 2005 18:43:59 +0000

Psycho: The name's Francis Sawyer, but everybody calls me Psycho. Any of you guys call me Francis, and I'll kill you.

Leon: Ooooooh.

Psycho: You just made the list, buddy. Also, I don't like no one touching my stuff. So just keep your meathooks off. If I catch any of you guys in my stuff, I'll kill you. And I don't like nobody touching me. Any of you homos touch me, and I'll kill you.

Sergeant Hulka: Lighten up, Francis. I notice that the Bank of America website calls it a passmark. I like that.

By: mike

mike — Thu, 13 Oct 2005 18:13:12 +0000

Ummm why fool around with stenography when we’ve got such an abundance of public key schemes? And no I don’t think ‘lightweight’ or ‘too hard for aunt minnie’ count as reasonable answers. If it’s worth doing it’s worth doing well.

By: Sencer

Sencer — Thu, 13 Oct 2005 18:01:39 +0000

Actually that’s already being done by some banks in a slightly different way. Schneier was writing on hos blog about it a while back. Here is an example of it:

http://www.bankofamerica.com/privacy/passmark/

By: Dorothea

Dorothea — Thu, 13 Oct 2005 17:53:41 +0000

The credit union I used in Madison (uwcu.org) does this. I gave their system an incredibly silly but highly memorable phrase from a college roleplaying campaign, and they include it in the email they send me.

Which never fails to make me grin. Added bonus.

By: Roger Benningfield

Roger Benningfield — Thu, 13 Oct 2005 17:23:20 +0000

How about “lightweight credentials”?