Phishing and BGP Blackholing

Travis H. travis+ml-nanog at
Thu Jan 18 01:04:09 UTC 2007

On Wed, Jan 03, 2007 at 03:35:30PM +0100, Florian Weimer wrote:
> SecureID might be helpful if you want to differentiate your product
> between automatic and manual use, but it doesn't do anything to
> authenticate the party you are relaying information to.  But it's
> useless in a phishing context.  If you want a token solution, at least
> use something that factors in transaction-related data.

And since the whole point of using a token is having an isolated,
presumably more trustworthy environment, then you also would logically
need a display and input device for it.  On the
cryptography at list, there has been some discussion of
this, and also some statements that the login needs to be part of the
"browser chrome" (whatever that is) and not just any old form on an
unprotected HTML page.  Furthermore, the current understanding of
marketing departments and customer support is on par with "the lock
icon means it's secure", so even reputable companies like (IIRC) Chase
are sending out emails telling their customers to log in to web sites
with domain names that don't even resemble Chase, essentially training
customers to be phishing victims.

It's clear that the technology has progressed to the point that it is
easier to confuse the user than actually exploit the security systems,
and what we really need now is some leadership from UI designers (say,
Apple) for browser designs and idioms that are intuitively obvious to
the most casual of users.  However, that's not exactly hard science and
there isn't much usability research in the security community, because
it's already so recondite.
``Unthinking respect for authority is the greatest enemy of truth.''
-- Albert Einstein -><- <URL:>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 827 bytes
Desc: not available
URL: <>

More information about the NANOG mailing list