struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dale Newfield <d...@newfield.org>
Subject Re: Avoid Phishing in Struts Applications plugin
Date Mon, 06 Sep 2010 16:19:28 GMT
On 9/6/10 11:42 AM, Oscar wrote:
> anti-phishing mehcanism into the application

If I understand what people generally refer to as phishing, it's someone 
else making pages appear enough like yours to fool the customers, but 
with the submitted data going to a third party.  As such, there's not a 
whole lot you can do to prevent someone copying your site, but you can 
make some feature on your site different from customer to customer and 
try to train the customers to look for that personal feature before 
trusting that they are where the page claims they are.  For example, 
Bank of America has an image that they ask you to select when setting up 
your account.  They call this a "SiteKey". 
http://en.wikipedia.org/wiki/SiteKey There are obvious flaws with this 
technique, but it can help somewhat.  I don't know if there are any 
relevant patents/etc. but you should look into them before copying this 
idea in case there are requisite licenses/royalties due to EMC.  Of 
course using https with a known key is a technical way of doing the 
reverse side of mutual authentication, but it really does come down to 
user training, as if the bank's users don't notice a different URL in 
the address bar, they're also not going to notice http instead of https.

http://en.wikipedia.org/wiki/Mutual_authentication

Basically phishing involves mimicking your web application, and there's 
very little you can do within your application to prevent that.  I fear 
there are no good solutions that don't involved training the bank's 
customers to be more vigilant.  If you come up with a good, clean 
solution, please let us know.

-Dale

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org


Mime
View raw message