- From: Amir Herzberg <herzbea@macs.biu.ac.il>
- Date: Wed, 13 Sep 2006 09:19:02 +0300
- To: Naveen Agarwal <nagarwal@yahoo-inc.com>
- CC: "'Thomas Roessler'" <tlr@w3.org>, public-usable-authentication@w3.org, Research on current Internet anti-fraud techniques <anti-fraud@lists.cacert.org>
Naveen: I wish to congratulate you on the Yahoo! tool. It is a simple, useful indicator. Our experiments show a significant advantage to user-customized indicators like yours, and they are also more robust to fake internal window (PIP) attacks. BTW, in our experiment, we clarified to users the distinction between the content area and the chrome area (in terms of trust), and still had very high (37%) spoof rate using `classical` browser indicators. So I don't think user's lack of sufficient attention to the chrome areas is due (only) to lack of understanding. Better indicators can help a lot (although I think we can and should do even more than indicators). We are now working on a much larger experiment and may include Yahoo-like indicator. Anybody interested in cooperating in the experiment, please contact me. We present our existing experiment results in: *Security and Identification Indicators for Browsers against Spoofing and Phishing Attacks* /Amir Herzberg and Ahmad Gbara/ available at http://eprint.iacr.org/2004/155. I also recently posted another article, reviewing the basic problems and some solutions, including some details of the registry solutions I'm advocating (certificate registry and content registry): *Browsers Defenses Against Phishing, Spoofing and Malware*, available at http://eprint.iacr.org/2006/083 Comments welcome. Best, Amir* * Naveen Agarwal wrote: > Some of you may have already seen this. Yahoo! has implemented very > easy to use a sign-in seal to help users recognize a genuine Y! login > page. The seal is not tied to any user but to the browser/PC and to > set it up a user doesn't need to enter any username/password either. > With a personal picture it is very easy to recognize and use and there > are no extra steps to perform when doing a login i.e. the login flow > remains as simple as it is today. > > https://protect.login.yahoo.com/ > > Thanks > > Naveen > > * From: * public-usable-authentication-request@w3.org > [mailto:public-usable-authentication-request@w3.org] *On Behalf Of > *Mary Ellen Zurko > *Sent:* Monday, September 11, 2006 9:59 AM > *To:* Thomas Roessler > *Cc:* public-usable-authentication@w3.org > *Subject:* Re: Status Update on W3C Security Work > > > > > This story seems timely. If consumers are going to hold institutions > accountable for phishing losses, institutions are going to demand an > infrastructure that they reasonable use to thwart phishing attacks. > > Mez > > Mary Ellen Zurko, STSM, IBM Lotus CTO Office (t/l 333-6389) > Lotus/WPLC Security Strategy and Patent Innovation Architect > > http://www.theregister.co.uk/2006/09/06/boi_refunds_phishing_victims/print.html > >
Received on Wednesday, 13 September 2006 06:25:06 UTC