Protection mechanism against Phising activities (what can be done?)

[bimalpoudel]

Recently one of our Local Bank suffered phising issues. This incident forced them to completely shutdown their online transactions. They forced every single user account's transaction password to be reset before the expiry time. This bank has a policy of 90 days password expiry and blocking re-use of last 3 passwords.

However, the phising website collected both the login password and transaction password.

You may see some screen shots at (in Nepali Language):
http://www.nagariknews.com/infotech/...-04-40-03.html

My question is - we as small and medium sized website developers, how can we implement some securities against such activities who try to clone the look and feel of the valid website, trap the login details and attack the main accounts?

[MarPlo]

Hi,
To some websites, like paypal, apears near address bar a "Verified by VerySign, inc"; this is a sign registered to a specified domain, and indicates to the user that he is on the correct page /domain.
More details: verisign.com .

[safrine]

I would suggest SSl certificates to secure your websites

[dklynn]

Bimal,

From reading your post, I'm not sure whether you were the one conned by the phishing or someone else because I've NEVER heard of a bank demanding clients to go online (no doubt, to the link provided in an e-mail) to reset their passwords (no doubt, by providing their old password in order to change).

What do banks actually do? Tell their customers that they will NEVER e-mail asking them to login to change their password details, they will NEVER phone for username and password details, that they must ALWAYS use their bookmarked link to the bank's website to login, i.e., NEVER click a link in an e-mail. A bank can do no more than that and still provide a service.

There is a thread in the Server board which began asking about AJAX sessions timing out which discusses fingerprinting an individual using browser/OS/computer details easily available using JavaScript. Advertising agencies (and hackers) are sophisticated enough to use these techniques but they may be too much of a burden for banks.

In case you missed the PC World article (Browser Fingerprints: A Big Privacy Threat) and the Electronic Frontier Foundation's article (How Online Tracking Companies Know Most of What You Do Online (and What Social Networks Are Doing to Help Them)) and the EFF has a page to show what your browser is sending (33 points identify an individual).

Regards,

DK