Michael, I have to give you kudos for working on a solution. However, I have
to say that you solution stinks. We definitely need more creativity and
ideas to fix this and I think that you have been creative but not worked with
the reality of the situation. Users will fight for simplicity, even if it
exposes them to losing thousands of dollars. And as you said, the emails
would not be encrypted. Any sysadmin or hacker who could break into a
vulnerable email server has access to the emails and those passwords.
Obviously, it would not be long before the hacker would be stopped, but he
doesn't have to get but one account if he knows which one, right? Each
website may choose its own method of password creation, even though you
specifically stated that they should choose good passwords, they might choose
a crappy incremental scheme anyways and circumvent the whole process. There
are simply too many steps, each of which could fail and be disastrous. But
keep thinking, one day we will have a half-solution to the problem. I don't
believe that it can ever be completely fixed. 99.9% of humans live by
perception, and that is what phishing thrives on.
- -Joseph Miller
On Monday 22 November 2004 10:40 pm, Michael Silk wrote:
> Hi,
>
> Just a quick little article about a login system that, should (i
> think :)), prevent phishing attempts on your site.
>
>
> http://michaelsilk.blogspot.com/2004/11/article-solution-to-phishing.htm
> l
>
> Have a look at it and let me know what you think ... and apologies
> to anyone if an idea like this is already out there :)
>
> -- Michael
>
>
> **********************************************************************
> This email message and accompanying data may contain information that is
> confidential and/or subject to legal privilege. If you are not the intended
> recipient, you are notified that any use, dissemination, distribution or
> copying of this message or data is prohibited. If you have received this
> email message in error, please notify us immediately and erase all copies
> of this message and attachments.
>
> This email is for your convenience only, you should not rely on any
> information contained herein for contractual or legal purposes. You should
> only rely on information and/or instructions in writing and on company
> letterhead signed by authorised persons.
> **********************************************************************
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Hash: SHA1
Michael, I have to give you kudos for working on a solution. However, I have
to say that you solution stinks. We definitely need more creativity and
ideas to fix this and I think that you have been creative but not worked with
the reality of the situation. Users will fight for simplicity, even if it
exposes them to losing thousands of dollars. And as you said, the emails
would not be encrypted. Any sysadmin or hacker who could break into a
vulnerable email server has access to the emails and those passwords.
Obviously, it would not be long before the hacker would be stopped, but he
doesn't have to get but one account if he knows which one, right? Each
website may choose its own method of password creation, even though you
specifically stated that they should choose good passwords, they might choose
a crappy incremental scheme anyways and circumvent the whole process. There
are simply too many steps, each of which could fail and be disastrous. But
keep thinking, one day we will have a half-solution to the problem. I don't
believe that it can ever be completely fixed. 99.9% of humans live by
perception, and that is what phishing thrives on.
- -Joseph Miller
On Monday 22 November 2004 10:40 pm, Michael Silk wrote:
> Hi,
>
> Just a quick little article about a login system that, should (i
> think :)), prevent phishing attempts on your site.
>
>
> http://michaelsilk.blogspot.com/2004/11/article-solution-to-phishing.htm
> l
>
> Have a look at it and let me know what you think ... and apologies
> to anyone if an idea like this is already out there :)
>
> -- Michael
>
>
> **********************************************************************
> This email message and accompanying data may contain information that is
> confidential and/or subject to legal privilege. If you are not the intended
> recipient, you are notified that any use, dissemination, distribution or
> copying of this message or data is prohibited. If you have received this
> email message in error, please notify us immediately and erase all copies
> of this message and attachments.
>
> This email is for your convenience only, you should not rely on any
> information contained herein for contractual or legal purposes. You should
> only rely on information and/or instructions in writing and on company
> letterhead signed by authorised persons.
> **********************************************************************
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFBprWXmXZROF+EADURAmqhAJ43mQxv3dTmsQZz6fgoSL8m1INdLwCeOOgi
Tgjx+UKNzYWN406YQwEC+HE=
=N++X
-----END PGP SIGNATURE-----
[ reply ]