SitePoint Sponsor

User Tag List

Results 1 to 4 of 4

Hybrid View

  1. #1
    SitePoint Addict bimalpoudel's Avatar
    Join Date
    Feb 2009
    Location
    Kathmandu, Nepal
    Posts
    279
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Protection mechanism against Phising activities (what can be done?)

    Recently one of our Local Bank suffered phising issues. This incident forced them to completely shutdown their online transactions. They forced every single user account's transaction password to be reset before the expiry time. This bank has a policy of 90 days password expiry and blocking re-use of last 3 passwords.

    However, the phising website collected both the login password and transaction password.

    You may see some screen shots at (in Nepali Language):
    http://www.nagariknews.com/infotech/...-04-40-03.html

    My question is - we as small and medium sized website developers, how can we implement some securities against such activities who try to clone the look and feel of the valid website, trap the login details and attack the main accounts?
    Bimal Poudel @ Sanjaal Framework over Smarty Template Engine
    ASKING INTERESTING QUESTIONS ON SITEPOINT FOURM

    Hire for coding support - PHP/MySQL

  2. #2
    SitePoint Addict
    Join Date
    Apr 2011
    Posts
    265
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Hi,
    To some websites, like paypal, apears near address bar a "Verified by VerySign, inc"; this is a sign registered to a specified domain, and indicates to the user that he is on the correct page /domain.
    More details: verisign.com .
    Free: Web Programming Courses HTML, CSS, Flash
    Web Programming: AJAX Course and PHP-MySQL Course video Lessons
    Good JavaScript and jQuery course for beginners

  3. #3
    Non-Member
    Join Date
    Apr 2012
    Location
    Jersey City
    Posts
    0
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    I would suggest SSl certificates to secure your websites
    Last edited by paul_wilkins; Apr 23, 2012 at 23:41. Reason: Self promotion removed

  4. #4
    Certified Ethical Hacker silver trophybronze trophy dklynn's Avatar
    Join Date
    Feb 2002
    Location
    Auckland
    Posts
    14,645
    Mentioned
    19 Post(s)
    Tagged
    3 Thread(s)
    Bimal,

    From reading your post, I'm not sure whether you were the one conned by the phishing or someone else because I've NEVER heard of a bank demanding clients to go online (no doubt, to the link provided in an e-mail) to reset their passwords (no doubt, by providing their old password in order to change).

    What do banks actually do? Tell their customers that they will NEVER e-mail asking them to login to change their password details, they will NEVER phone for username and password details, that they must ALWAYS use their bookmarked link to the bank's website to login, i.e., NEVER click a link in an e-mail. A bank can do no more than that and still provide a service.

    There is a thread in the Server board which began asking about AJAX sessions timing out which discusses fingerprinting an individual using browser/OS/computer details easily available using JavaScript. Advertising agencies (and hackers) are sophisticated enough to use these techniques but they may be too much of a burden for banks.

    In case you missed the PC World article (Browser Fingerprints: A Big Privacy Threat) and the Electronic Frontier Foundation's article (How Online Tracking Companies Know Most of What You Do Online (and What Social Networks Are Doing to Help Them)) and the EFF has a page to show what your browser is sending (33 points identify an individual).

    Regards,

    DK
    David K. Lynn - Data Koncepts is a long-time WebHostingBuzz (US/UK)
    Client and (unpaid) WHB Ambassador
    mod_rewrite Tutorial Article (setup, config, test & write
    mod_rewrite regex w/sample code) and Code Generator


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •