When I come to think of it.. stealing a persons credentials through phishing sites is going to be one of the biggest and most dangerous threat on the Internet.
Websites need to do more than merely display warning messages on their sites in order to prevent phishing or alteast bring down the instances.
I think the basic concept is for the website to authenticate itself before the user puts in his/her passwords.
A simple technique that I thought of is described below
The login screen first displays only the textbox for the username, once the username is entered, the site makes an AJAX call and fetches the persons name and displays a message saying ” Hi Vinci Rufus” or some other info from the person’s profile before he/she can put in the passwords.
Well this does add an additional step, but I think it would be worth that extra step than losing your Internet Identity forever.
I’ve put up a small example of the above technique at this url
www.vinznet.com/labs/phishing/first_step.php
username : user@user.com [ you can also hit tab]
pass: user
username: admin@admin.com
pass: admin
This is surely not a foolproof method and if the user doesn’t bother to look up on the screen to see if the site managed to get the correct info then there is nothing that can be done about it, or if the username is very similar to the persons name then we’ll need to pick up some other info like the birthdate or something.
So let me have your thoughts and ideas on the comments area and we can have a discussion.
I’m also thinking of another solution involving flash/flex based hologram kind of a thing.. but I’ll talk about it in another post.
