Ka-Ping Yee on Phishing
In “How to Manage Passwords and Prevent Phishing,” Ping writes:
So, right up front, here is the key property of this proposal: using it is more convenient than not using it.
This property makes this proposal unique (as far as I am aware). All the other proposals I have seen require the user, on each login, to do more work than they previously had to do. And that, in my mind, instantly dooms a solution to failure, or at the very least creates a stiff barrier to its adoption.
The full passpet proposal is really good, as you’d expect. It entails extending the browser to use nicknames, and key those names to domains, and strong password storage.
I think there are a few issues to be considered.
- How does the user decide if they’re at the right site to start with? Passpet works for the user if they’re setting up accounts, but if they’re transferring accounts into passpet, they’re vulnerable to phishing. (That is, if I have a password for Citibank, and I enter it into a fake site, then fake site now knows my Citibank password.)
- The user needs to install software.
- The bank doesn’t have any indication of the user’s password safety. This is easily corrected if the browser sets an ‘X-Passpet-Version:’ header.
In comparison to my “Preserving the Internet Channel Against Phishers” proposal, it requires that the user install software, but allows the bank to continue sending HTML email, and using dodgy hostname constructions. It has the possibility of communicating additional detail about user security to the bank.
Sending HTML email is seen as very worthwhile by banks’ marketing departments. The security risk of a user setting up an account in the wrong place is a risk that banks will be happy to encourage you to take. The big questions will be the install cost of passpet versus other “strong authentication” systems that are being put forth to satisfy new Federal regulations.