Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

One solution I have seen, is you select a custom image during the account signup process, and it appears on the login page. That way, if there is no cartoon elephant on the login page, then it is not right.

My chinese bank account does this. I am not sure how effective it is, and it requires a two step login, so it is terrible from a usability standpoint.



It's basically useless. Any decent attacker should be able to proxy your info through, retrieve your image, and show it to you in the expected time frame.


how would that work? How would the attacker "proxy your info through"?


Yahoo’s implementation of this (Sign In Seals) works with a Flash (LSO) Cookie. So, they remember your username (and your personalized picture / seal) by inspecting the Flash cookie. I remember the first time I tried it—and being impressed—but then wondering how the fuck they did it. Then being less impressed when I realized that it doesn’t work after clearing your Flash cookies (or if you have Flash turned off).


Suppose that to log in to friendface, you enter your username, then it shows you the cartoon elephant that you selected beforehand, and you enter your password.

When fake-friendface wants to phish you, they get your username, then they give that username to friendface and receive your cartoon elephant in exchange. They show you the cartoon elephant, and you decide that this must be friendface.


And how do they "get your username" before you entered it?


How does friendface show your cartoon elephant before you enter your username? (hint: it won't)

The way this works looking at banking websites is that the user enters a username. Then they get some secret image + description that they previously wrote and can enter their password.


Most of the banking websites that do this also remember information about your browser and IP. If it's a new computer, you're required to verify the computer before they show you the image.


It is a simple man-in-the-middle attack. The proxy will forward the username and echo back whatever it receives from the bank.

The reason it might work in this case is because the assumption is that people will only verify the browser bar when they first arrive on the page, and not when they have been "tab nabbed" like this


Correct.

Plus, the secret image assumes I actually remember which image I select for every page. Given that none have the same collection of images, I'm likely to have only a vague notion of which one I picked at account creation.


The original implementation of this was from Yahoo. The image selection was stored locally in a cookie.

This is not the common implementation since most seemed to have missed the point.


Don't try to cover up the fact that you got played as well ;) We're all friends here, you can admit your mistakes :)




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: