On 9/6/10 11:42 AM, Oscar wrote:
anti-phishing mehcanism into the application
If I understand what people generally refer to as phishing, it's someone
else making pages appear enough like yours to fool the customers, but
with the submitted data going to a third party. As such, there's not a
whole lot you can do to prevent someone copying your site, but you can
make some feature on your site different from customer to customer and
try to train the customers to look for that personal feature before
trusting that they are where the page claims they are. For example,
Bank of America has an image that they ask you to select when setting up
your account. They call this a "SiteKey".
http://en.wikipedia.org/wiki/SiteKey There are obvious flaws with this
technique, but it can help somewhat. I don't know if there are any
relevant patents/etc. but you should look into them before copying this
idea in case there are requisite licenses/royalties due to EMC. Of
course using https with a known key is a technical way of doing the
reverse side of mutual authentication, but it really does come down to
user training, as if the bank's users don't notice a different URL in
the address bar, they're also not going to notice http instead of https.
http://en.wikipedia.org/wiki/Mutual_authentication
Basically phishing involves mimicking your web application, and there's
very little you can do within your application to prevent that. I fear
there are no good solutions that don't involved training the bank's
customers to be more vigilant. If you come up with a good, clean
solution, please let us know.
-Dale
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org
