Peter Gutmann wrote:
The problem is that the default has always been to be insecure, and there's no
effective way to get people to move to the secure non-default, or at least
none that isn't relatively easily circumvented by a bit of creative thinking
and/or social engineering.
If the user is used to logging in by a user interface that is not easy
for forge remotely - click on bookmark to bring up a user interface that
is difficult to remotely forge - then this does indeed work.
There is always the give-your-password-over-the-phone attack, but the
fact that phishers seeking WoW gold actually have to use the
give-your-password-over-the-phone attack against WoW players shows the
potency of a deliberately non standard, difficult to forge, user interface.
WoW security does not stop phishing, but it makes phishers work for
their money. WoW keeps telling users "never give your password to
another person, no one at WoW will ever ask you for your password".
Obvious advice, easy to understand and follow.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
