Phishing and OpenID
cheap cialis pill
certified cialis
cheap viagra in canada
cialis buy drug
buy generic cialis
viagra buy
25mg viagra
cheap viagra without prescription
buy cheapest viagra on line
purchase viagra
cialis 10mg
buying generic viagra
cialis pills
viagra from india
cheapest sildenafil citrate
cheap cialis no rx
viagra india
cialis bangkok
viagra for order
buy sildenafil internet
buy generic viagra online
buying cialis online
where to order cialis
tablet cialis
find cialis no prescription required
viagra cheap drug
order cialis cheap online
online pharmacy cialis
cialis no rx
order generic cialis
price of cialis
viagra soft
drug viagra
cheap viagra from uk
order cialis no prescription
order cheap viagra
viagra drug
order cheap cialis
cheap cialis pharmacy
best price for viagra
cheap viagra from usa
cost cialis
cialis overnight shipping
cheapest generic cialis online
generic viagra online
online viagra
viagra sales
cheap cialis in canada
compare cialis prices online
cialis online
drug viagra online purchase
discount cialis without prescription
no rx viagra
cialis overnight
viagra uk
cialis order
cheap cialis from usa
buying cialis
cialis overnight delivery
cialis in bangkok
buy and purchase sildenafil online
impotence treatment
cheap price viagra
viagra sale
cheap cialis tablet
drug cialis
generic cialis online
cheap viagra pharmacy
find discount cialis online
viagra malaysia
cialis without a prescription
buy cialis online cheap
viagra rx
buy no rx viagra
cialis 20mg
viagra in malaysia
discount viagra online
buy sildenafil cheap
buy viagra low price
buy cialis
cialis
cheap price cialis
cheap generic viagra
cialis canada
low cost viagra
buy cheap viagra
cialis vs viagra
order cialis from us
cialis tablets
find no rx cialis
buy generic cialis online
buy viagra overnight delivery
cheapest cialis price
buy cheapest cialis on line
order cialis in canada
viagra tablet
viagra no online prescription
find cheap cialis online
viagra price
order viagra no prescription
cheap generic cialis
buy viagra online cheap
cialis uk
cialis without rx
generic cialis cheap
viagra vs cialis
order cialis on internet
viagra tablets
viagra purchase
impotence drugs
buy cialis generic
cialis tablet
cialis cheapest price
order viagra from canada
viagra generic
cheap viagra from canada
order cialis
compare viagra prices online
find cheap cialis
impotence cure
pfizer viagra
find discount cialis
cheapest cialis
buy cialis from india
impotence
buy cheapest viagra online
cialis side effects
viagra order
discount cialis online
cialis in malaysia
cialis in uk
viagra in uk
cialis online without prescription
cialis online pharmacy
order viagra
buy viagra online
viagra side effects
cialis sale
discount cialis no rx
cheapest viagra
find cialis
order cialis no rx
buy cialis low price
buy viagra cheap
drug cialis online purchase
order discount viagra online
50 mg viagra
100 mg viagra
10mg cialis
cost of cialis
cheapest cialis prices
buy discount viagra online
cialis sales
50mg viagra
cialis price
buy viagra on internet
cialis pill
cheapest cialis online
purchase viagra overnight delivery
cheap cialis from canada
cheapest viagra price
cialis 20 mg
buy sildenafil low cost
order viagra without prescription
buy viagra lowest price
no prescription cialis
order viagra on internet
discount cialis overnight delivery
cialis cheap drug
viagra approved
viagra no rx required
compare viagra prices
no rx cialis
cheap cialis on internet
buy viagra from india
buy discount cialis online
viagra pharmacy online
order viagra from us
cialis free delivery
cialis for order
buy cialis from canada
viagra without rx
viagra online review
10 mg cialis
cheap viagra no rx
cheapest viagra prices
viagra prices
cialis pharmacy
order no rx cialis
buy cialis in us
buy cialis no prescription required
order cialis from canada
lowest price cialis
cheap cialis internet
online pharmacy viagra
cheapest generic cialis
generic drugs
cialis india
find cialis without prescription
best price cialis
buy viagra without prescription
cheap cialis in uk
where to buy viagra
20 mg cialis
cheap cialis from uk
buy sildenafil canada
cialis no rx required
cialis in us
buy cialis overnight delivery
cialis cheap price
order cheap viagra online
20mg cialis
buy cheap viagra online
viagra internet
viagra without prescription
free cialis
buy cialis us
cialis buy
buy viagra in canada
order viagra cheap online
find viagra without prescription
viagra pills
cheap cialis no prescription
viagra online without prescription
order generic viagra
cialis discount
viagra cheapest price
purchase viagra no rx
viagra no rx
viagra cheap
discount viagra overnight delivery
sale cialis
cialis pharmacy online
purchase cialis without prescription
pharmacy online
cialis medication
discount viagra
buy cheap cialis
impotence medication
viagra medication
find cialis on internet
impotence pills
cialis prices
discount viagra without prescription
cialis online cheap
cialis online review
find cheap viagra online
buy viagra us
purchase cialis online
certified viagra
where to order viagra
buy cheapest viagra
buy cialis internet
order cialis online
buy sildenafil online
buy cialis cheap
cheap viagra
purchase cialis
find discount viagra
buy cialis on internet
cialis buy online
buy sildenafil online without a prescription
viagra buy online
order cheap cialis online
viagra information
no prescription viagra
cost of viagra
buy cialis in canada
buy cialis online
buy viagra
cheapest generic viagra
cialis us
cialis australia
fda approved cialis
lowest price for viagra
viagra bangkok
cialis prescription
cialis cost
buy no rx cialis
buy viagra internet
viagra discount
order viagra overnight delivery
generic cialis
viagra australia
25 mg viagra
order viagra online
viagra overnight
cialis rx
order cialis in us
order viagra no rx
order discount cialis online
viagra vendors
order viagra in us
buy sildenafil in uk
viagra us
buy generic viagra
viagra canada
viagra no prescription
viagra cheap price
cheap viagra tablet
viagra free delivery
overnight viagra
purchase viagra online
find cheap viagra
cialis malaysia
best price viagra
cialis free sample
find viagra on internet
cialis generic
buy sildenafil in canada
order cialis no prescription required
cheapest viagra online
purchase cialis no rx
viagra in us
order discount cialis
cheap viagra internet
free viagra
cialis approved
best price for cialis
cialis from india
find no rx viagra
generic viagra
viagra from canada
viagra online pharmacy
buy viagra from canada
cheapest generic viagra online
buy cheapest cialis
discount cialis
viagra overnight delivery
cialis without prescription
100mg viagra
cialis in australia
price of viagra
order cialis overnight delivery
cheap viagra in uk
buying generic cialis
viagra pill
buy cialis on line
low cost cialis
find discount viagra online
buying viagra
cheap cialis overnight delivery
pharmacy cialis
cheap viagra pill
viagra prescription
find viagra online
buy cialis lowest price
discount viagra no rx
online cialis
viagra free sample
cheap viagra in usa
find viagra
cheap viagra online
buy viagra no rx
generic viagra cheap
buy cialis without prescription
buy viagra in us
cheap viagra overnight delivery
cheap cialis in usa
cheap cialis online
viagra
order no rx viagra
viagra soft tab
find cialis online
lowest price viagra
cialis drug
cialis vendors
viagra online stores
erectile dysfunction
order viagra in canada
buy viagra on line
viagra overnight shipping
viagra online cheap
lowest price for cialis
approved viagra pharmacy
cialis 10 mg
cialis no online prescription
cialis purchase
cialis from canada
order cialis without prescription
viagra for sale
viagra in australia
approved cialis pharmacy
buy viagra generic
buy sildenafil in spain
find viagra no prescription required
cialis no prescription
buy viagra from us
order viagra no prescription required
cost viagra
purchase viagra without prescription
buy cialis no rx
cialis cheap
cialis internet
tablet viagra
cheap viagra on internet
viagra cost
pharmacy viagra
cialis soft tab
cialis information
buy cheap cialis internet
purchase cialis overnight delivery
cheap cialis without prescription
buy viagra no prescription required
compare cialis prices
buy cheap cialis online
overnight cialis
where to buy cialis
cheap cialis
buy cheap viagra internet
buy discount cialis
viagra buy drug
cheap viagra no prescription
buy sildenafil citrate
buying viagra online
buy discount viagra
fda approved viagra
cialis online stores
cheap cialis tablets
buy cheapest cialis online
cheap viagra tablets
order discount viagra
sale viagra
viagra online
cialis for sale
cialis soft
viagra pharmacy
buy cialis from us
viagra without a prescription
viagra in bangkok
Note: with IIW starting today, I thought it would be fitting to talk about phishing and hopefully also convene a session on this over the next couple of days. This is a big problem for us in this space and something we’re going to need to find a solution for.
The second most common request from potential adoptees of OpenID (right behind having a solution to the potential spam bot problem) is, what is the answer for dealing with phishing of OpenID’s?
Phishing to me is one of those “The Internet Sucks ™” problems (another example is how easily DNS can be spoofed – yes, its a bummer, but how do you *really* fix it?). However, I believe there are a few things we can do with OpenID to help alleviate the problem. After all, with one username and one password for all of the sites you visit in in one place, the stakes are much higher.
The one thing we have going for us with OpenID as it relates to phishing is that users will be developing a stronger relationship with the one site that they enter in their password at. If there is even the slightest problem, it will be more obvious to the user because they go to their identity provider so often. Users are getting more and more sophisticated and the early adopter crowd is extremely savvy when it comes to phishing. However, this isn’t good enough.
There are a couple of approaches you can take to deal with phishing:
- Personalized site seal: Yahoo! has recently launched a service that allows users to put a personal image that they have chosen on their login page. If the user is directed to a phishing page that doesn’t have that picture on it, the user will realize it immediately and hopefully not enter their credentials. I’m not sure what they have done to make sure you can’t scrap that image from the users’ login page but I think this is to help stop against “general” phishing pages. We’ll be implementing personalized site seal functionality in our OpenID identity provider soon.
- Two-factor authentication: What about having more than just a username and password? The example would be of a user having to enter in both a username and password, authenticate and then enter in some other data such as a secret question or contents of an SMS message. The phishing site might get your username and password but they won’t know your secret question. Feasibly, however, they could directly “log you in automatically” to your identity provider and then scrap the question but this too would be quite difficult althouhg unfortunately not impossible.
- Browser extension/plugin: My least favorite of the solutions is to use an extension or plugin on the client to help verify the users’ identity provider. When installed, the user would enter where their identity provider is. If the user is presented with a username/password field that is not at their identity provider, it would change the chrome to red on the browser or bring up an annoying popup (it has to be annoying to be effective). Andy Dale has a great Firefox extension for doing this for OpenID’s and I believe Sxip is also working on one as well.
Unfortunately, that’s all I’ve got. Its not fantastic and none of those completely stop the problem, they just buy us time while we figure out better solutions. If you have ideas for ways to combat phishing with OpenID’s, by all means, please comment here.
My bank’s approach to combat phishing seems pretty good.
1. Enter your username.
2. Answer a secret question.
3. Enter your password on a screen which has an image and phrase that you selected when you set up the account.
This is a bit much for logging in every time, so they set a cookie once you have succesfully logged in. From that point on, on that particular computer, you just do steps 1 and 3. If you clear your cookies or go to another computer, you get to answer the secret question again.
I was wondering about this earlier, and those are some very good suggestions. I think the personalized site seal is the best suggestion of those three. One thing in which i would have more confidence is to be logged into the OpenId provider before trying to access a site that supports OpenId. As long as the provider is stateful (and your session is still alive), you should never need to provide your credentials when validating. However, for stateless servers, the seal is definitely the way to go.
Display three images on the login page.
One of them is your image, selected earlier, the others are random, or just other people’s image. This combines 2-factor login with captcha with site-seal.
The weakness is that refreshing the page will give you different random images, so it’s easy to determine the real picture.. except.. if there’s only a pool of 10 images, or, the random items don’t change..
How about external authentication?
To save people a lot of reading, external authentication means using out-of-band methods like IM, email, Skype or others with a one-time-password. This is a great idea.
I don’t think site seals work. A spoof site can pass whatever username / password / shared secret to the real site and present the site seal back the user.
As far as establishing the identity of an IdP or any site, an EV SSL certificate is probably the best solution to date. Adoption of EV SSL is another story (I believe the current and first EV SSL standard to be decided on took around 1.5 years.)
Thomas: actually the site seal is not tied to your username and password. Its a one-time setup between your computer and the identity provider. The attacker would have to have access to your machine or in the case of a non-SSL connection, do a MITM attack. Looking over the general OpenID list archives, folks are saying that the Yahoo! site seal has some Flash functionality … if you setup the site seal on Firefox its there on IE as well.
I’m pretty sure the site seal is tied to cookies.
I setup the Yahoo! site seal in Firefox. When I went to login in Safari, the seal was not there. Once in Safari, I logged in, logged out, and when logging back in a second time the site seal was not there.
Going back to Firefox, I deleted the Yahoo! cookies while signed out. When signing in, the site seal was not there.
I’m not sure how I feel about that. I read somewhere that a lot of people delete cookies nowadays.
If you guys are referring to BoA’s SiteKey which uses PassMark technology, cookies and other mechanisms are used to profile the client’s computer, network, and user for real-time risk analysis as well as offline risk analysis. Also, on-demand out-of-band authentication may kick in when risk gets too high. Overall, I think it’s an effective anti-phishing solution. But then I could be biased since I am one of the guys who built it.
Frankly, I think the best way to protect passwords from phishers is to hide the password from the user because you can’t lose what you don’t have.
Hi! Why I can’t fill my info in profile? Can somebody help me?
My login is Kisakookoo!
Where can you not fill out your profile? MyOpenID.com? More than happy to help.
FYI – we’ve implemented two new features on MyOpenID that help fight phishing as per suggestions from the OpenID community.
One thing in which i would have more confidence is to be logged into the OpenId provider before trying to access a site that supports OpenId.
To try to solve the problem using two-factor authentication, a team I work with is developing a beta implementation of strong, multi-factor authentication for OpenID,
TrustBearer OpenID.
We’ve been concentrating on simple user experience at this point, and we are interested to learn what sort of features user will look for in this type of implementation.
With our OpenID, you basically just set-up a strong authentication device
and then link the device to your OpenID URL.