In the unlikely event readers needed another reason to doubt the efficacy of the sitekeys that Bank of America, Yahoo! and others claim make their sites more secure, a muck-raking hacker has demonstrated a simple means of thwarting the measure. The demo comes courtesy of Christopher Soghoian, the Indiana University graduate …
The article fails to mention how a user activates the script, which requires that a user get tricked into clicking on an email link or a web link. It would be nice for a change to see the articles provide advice on how not to get phished. The demo page has good advice in this respect, especially to bookmark the right web site. After reading the anti-phishing advice given by over 60 banks and never seeing the word bookmark or add to favorites, it is nice to see that the demo page has accurate advice. Let's get the focus off how to recognize phishing attacks and tell people how to not get phished. Bookmark the legitimate address for the bank and never use any other means of geting to the web site and you will not get phished. Focus on Real, not on Fake!!
type it yourself
It really is that easy, just type the URL into your browser yourself, no attack can compromise your ability to type, although those prone to spelling mistakes might want to check the URL before submitting it, just in case.
My thought exactly
That was exactly what I thought when my online banking site enabled their new "security" policies. First I had to select a picture as my personal image. Then I had to select 3 "security" questions, each from a separate list of 10 questions. Of course, most of these questions weren't applicable to me, as they referenced spouse (of which I have none), family references (which I don't know the answers to), and public information (school, birth date, etc).
But my jaw dropped when I read the text "If you see your personal image, you can be sure that you're on the real online banking site". Yeah, because I've never heard of a proxy server (which basically is all that a man-in-the-middle is). Hell, get an SSL cert for your proxy site, and you can even show people that you have "the padlock" for your site.
In a similar vein, my bank recently updated their website. Their new "investor information" page brings you to a different site altogether. And then any links on that page (links which are supposed to bring you bank to the bank's site) bring you to clicknineteen.com (the marketing company which designed the site). I told my local branch's supervisor, and had her go through those pages with me, and she didn't even look in the address bar to see that she wasn't on the bank's site anymore. And that's the problem with most people -- they rarely look at the address bar to see where they are. And if they can't even be bothered to do that, then nothing will help them.