March 8, 2008
A Question of Programming Ethics
Pretty much inevitable — An app that asked for your GMail username & password was harvesting them. One point to the “Why we need OAuth” party.
April 12, 2007
slight paranoia: A Deceit-Augmented Man In The Middle Attack Against Bank of America’s SiteKey Service
Those anti-phishing “pick a photo and a phrase that must be displayed when you login to your bank” systems? Work-aroundable by smart-enough phishers. Wonder where the arms race goes next?
March 26, 2007
Beginner’s guide to OpenID phishing
Good overview of the phishing risks inherit in OpenID — Is it essentially doomed by providers limiting authentication to easily stealable usernames & passwords?
February 5, 2007
Study Finds Web Antifraud Measure Ineffective - New York Times
I’ve always suspected that these “Select your image and don’t enter your password if you don’t see it” systems were broken — Asking users to behave differently when something is *missing*, which they’re liable to forget even *existed*, is not security by any stretch.
October 2, 2006
PhishTank | Join the fight against phishing
New open database of user-submitted Phishing URLs. Somewhat reminiscent of Mark Fletcher’s old “Trustic” startup. Not sure how well the submission/validation system will scale, or deal with gaming, but it could be interesting to watch.
February 22, 2006
SANS - Internet Storm Center - Phollow the Phlopping Phish
All the info on a remarkably well-done phishing scam. Even users trained not to fall for scams could fall for this.
I'm