Ka-Ping Yee wrote:
> Passpet's strategy is to customize a button that you
> click.  We are used to recognizing toolbar buttons by
> their appearance, so it seems plausible that if the
> button has a custom per-user icon, users are unlikely
> to click on a spoofed button with the wrong icon.
> Unlike other schemes, such as special-looking windows
> or a custom image shown with the login form, this
> strategy requires the user to directly interact with
> the customized UI element.

This seems like a promising tactic, since a first step
in any process is "look for the button".  If user does
not see the button, will be troubled, will stop and

Any customization is an effective anti phishing measure:
Observe that eBay resists phishing by starting its
emails by addressing each user by logon name, and Amazon
resists phishing by extensively customizing its web page
to each user - by supplying non cryptographic evidence
of an existing relationship.

         James A. Donald

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to