Simple way to avoid fake website logins
Now, most of the readers here are probably beyond reproach with regards to how they handle phishing attempts (whether they are email based or fake sites) but I heard of a tactic today that can be used to detect fake sites very easily and is simple enough for your mom to use.
If you’re like me and you know of several people that might not have the technical savvy to be aware of scams that ask you to log into a bad guy’s site which is masquerading as your bank or other trusted online source. Some of these fake sites go to the extremes of mimicking every single part of the trusted site, with the exception of the login form. Entering your credentials here gives the bad guys all they need to drain the victim’s account via the legitimate site.
How can we expect people with little to no technical experience be able to recognize these threats and avoid them?
The answer is so simple even your crazy Aunt Martha can do it. (ok, maybe not crazy Aunt Martha, but everyone else)
Train your userbase (mom, dad, the neighbors, co-workers, etc) to use the double-login method.
The double-login method (my own name for it) has the use enter false information first, and then the legitimate information. A bogus login and password will be accepted by a bad site every time because they have no way of validating the information until later when they attempt to use it to compromise the account.
An example:
Crazy Aunt Martha gets an email from her bank asking her to verify some security settings or transfers on her account.
Unbeknownst to Aunt Martha, the email was fake! It was a phishing attempt that contained a link that was formatted to look like it came from her bank, but in actuality connected her to the bad guy’s site which has been set up to look just like the legitimate bank.
Aunt Martha doesn’t know the difference between the good site or bad, nor was she able to tell that the email link she just clicked on was bogus. What Aunt Martha can do is use the double-login method to protect herself. She attempts to log into the site with her bogus information and it gets accepted! She immediately knows that this is a “Bad Guy’s Website” and promptly closes her browser and forwards the email to her bank’s security contact, which (being the great IT guru that you are) already placed into Aunt Martha’s address book.
A quick follow-up call to the bank can confirm the details and Aunt Martha’s life savings are intact!
If the bogus credentials are accepted, then the site is bad. How easy is that?
In the interest of full disclosure: This isn’t my idea. I heard of it at a small security conference earlier today. I just think it’s a really great idea that needs to be shared!
Nice. It’s so simplistic and seems fail safe. Wonder why it hasn’t been broadcast more than it has? (Or has it?
)
If it has been broadcast before, I haven’t heard it until today… Maybe there’s a flaw in the logic somewhere that somebody can point out, but as of now I’m telling everyone I know!
I think that maybe it’s one of those things that are so simple, we tend to overlook them.
Something I thought of this morning, though… If this catches on big enough, the phishers could have the form reject first then accept the second time.
Shh! Don’t tell the bad guys!
Well, the easiest thing to do would be to up the ante a bit on our end and just enter two bad passwords, then the good one. Obviously this doesn’t scale very well and eventually the phishers could just take the initial credentials and perform their own authentication against the legitimate site to verify whether or not their correct. That would be the easiest way to foil this little anti-phishing scheme.
So what is a robust, scalable solution that provides authentication of both the sender and reciever? How about SSL? What about single use passwords? Before you start thinking that these are foolproof, allow me to introduce you to Dan Kaminsky and his work on DNS cache poisoning: https://www.blackhat.com/presentations/bh-usa-08/Kaminsky/08_bhb_od2_slides.m4v
This is a stupid idea. If the phishing site uses the credentials given it to log in to the real bank site in real time - it _can_ verify whether or not the credentials entered are valid. And we’ve seen sites doing exactly this for years now. Sure this may work on some of the less advanced phishing sites but this is not good advice overall.
Want the real answer? How about opening up a second tab/window and typing in the bank’s website address by hand. Won’t help WRT DNS poisoning or other MiTM attacks but will prevent the entire class of obfuscation/redirection tricks.