phishing - if it's such a problem why don't they implement a simple fix?

[NsXMas]

Reading this story , makes me wonder.

For the life of me I can't understand why financial institutions are just sitting on their butts with all the phishing crap going on.

Here's what I think is an extremely simple fix:

Create a dual verification system:

1) You log into a website.
2) You are shown a page, which has a phrase, and/or an image that you pre-established with the institution.
3) Validated, you can then enter a new password to log into the account.

This dual verification would eliminate 99% of the phishing that goes on, and only require minor upgrades to the existing software.

Why are companies so damn slow to do something this easy to combat phishing?

I'm not the brightest person in the world, so surely there has to be even easier fixes than this. But at least they can implement something??

 

[milz50]

I'm sorry; I'm not following clearly. Isn't your account already hijacked once you authenticate with the fake site (step one in your example above)?

 

[NsXMas]

Let me clarify.

This is a dual log in process.

When you first log in with a username/password, all you see is the authentication page with the image/passphrase.

The only thing you can do at that time is cancel or enter a second password to enter your account.

Without the second password you can't do anything.

So for the consumer, if they don't see the image/passphrase, they know it's not a valid site and can then notify their institution that their username/password has been breeched and get a new username and/or password.

The crooks who phish the first set of username/password will not be able to do anything with the info. Make sense?

 

[steveny]

Make great sense.

I have these great ideas all the time too but don't know how to eaisly put them to work for me. How would you propse this to a bank without a bank saying "great idea, thanks" then throw you out of the office?

 

[NsXMas]

Thanks. I'm not going to propose this to any institution, but it just strikes me as completely odd that no institution, especially very vulnerable ones likes PayPal won't make some simple programming/database changes to prevent costly fraud for themselves or customers. Someone must have thought of something like this before, I would assume.

 

[KGP]

In terms of PayPal, or other similar sites, they aren't financial institutions, but they certainly have the ability to introduce such a change. For the banks, you have to understand that very few of them rely on their own in-house technolgy. It's a case by case situation as to who could do it. The idea is sound, and there's a ton of other things they could do to reduce, or even eliminate phishing.

 

[NeoNSX]

Nobody does anything because phishing is still considered a minor problem, and any losses are covered. Companies have better things to do than worry about consumers and protecting their trust.

 

[milz50]

Let me clarify.

This is a dual log in process.

When you first log in with a username/password, all you see is the authentication page with the image/passphrase.

The only thing you can do at that time is cancel or enter a second password to enter your account.

Without the second password you can't do anything.

So for the consumer, if they don't see the image/passphrase, they know it's not a valid site and can then notify their institution that their username/password has been breeched and get a new username and/or password.

The crooks who phish the first set of username/password will not be able to do anything with the info. Make sense?

Thank you for the explanation. I understand now.

I think this hasn't been implemented because it would be relatively easy for the Phishers (anyone understand the origin of this term?) to circumvent.

The scheme would work as follows:

a) unsuspecting user enters credentials on phisher's imitation site.
b) phishers pass the credentials to the legitimate site's login page.
c) phishers parse the passphrase from the legitimate site.
d) phishers display the passphrase to the unsuspecting user.
e) unsuspecting user validates the passphrase and enters secondary credentials.

Basically, the phishers would be acting as a proxy of the unsuspecting user. Your proposal had me stumped for a while. In the short term it may reduce the harm that Phishing schemes are inflicting. In the longer term, this plan may be more of a detriment because it complicates the authentication process. I think the more complex the process, the more of an opportunity for the novice to get fleeced.

I think the only way that this will be solved is for advancements made in the ease of encryption implementation for end users. For example, say I'm a Bank One user. I would be able to upload my public encryption key to Bank One. Bank One would then encrypt all secure emails to me with my key. The technology is present for this now, however, the process is too complex for the average user.

 

[NeoNSX]

i'm not sure how your idea would make a site bulletproof from phishing... but at least it's a step in the right direction.

Google is implementing a new system in their Gmail system against phishing; if an email has a URL to www.paypal.com but the actual link goes to something else, the user will be notified of the potential phishing trip.

Prevention is better than cure, an in Gmail's case it's definitely best to prevent people from visiting the fake website in the first place.