What are the best ways to prevent your website from being Phished? Please cite some technical suggestions and references if possible.
Thank you!
+6
A:
Websites aren't phished -- users are. The most you can do is get an SSL certificate and, on your login screen, make a huge deal about golden padlocks and domain names (thanks codeka) and such.
zildjohn01
2010-05-17 01:47:05
Even then, if the phishing page is on an SSL site, it'll still have a padlock. You have to make a big deal about the padlock *and* the domain name.
Dean Harding
2010-05-17 01:49:46
A:
I think phishing can vary a lot from web site to users. I can set up a new gmail website with a different domain name like gmai1.com (the number 1 not l) and send it to everybody to login to my email. How can you prevent it? The users usally have to be careful. It is really hard to have a silver bullet here
vodkhang
2010-05-17 01:47:42
A:
Talk about using secure browsers (not IE) and about site verification issues that involve simple checking (a green domain name "certificate" next to the URI in Firefox that's green indicates a verified site). Edit: this particular method hence defeats fake sites that use similarly-printed characters (Cyrillic, etc)
Delan Azabani
2010-05-17 01:52:14
+2
A:
Not sure if this is what you mean, but sometimes websites can be "hijacked" using CSRF or XSS attacks.
XSS can particularly happen when you allow users to enter arbitrary text and don't ensure they're not entering arbitrary HTML code.
CSRF can happen if you don't ensure a link someone clicks in their browser originated from your website (they can authenticate on your website, get a cookie indicating they're authenticated, open a new tab, and be tricked into clicking a link on another website in the other tab that points to your website and causes some action to happen there).
Those links discuss mitigation strategies.
Eric J.
2010-05-17 01:57:04
A:
BOFA website does something interesting that I really like, and I do believe it helps. They make you choose an image icon from set when you register your account, and every time when you login it displays this image... if the image is not the same or not present its a sign for the user that they are being ....
m0s
2010-05-17 01:58:01
PNC does this as well, but unless I'm missing something, it just seems like it makes phishing more challenging, not outright impossible. The phisherman now has to take the username I present, go out to my bank's page and get my picture, and show it to me.I suppose the bank could look for multiple requests from the same endpoint for a variety of usernames to try and track it down or stop it early.
Tim Ridgely
2010-05-17 02:00:52
Wouldn't be better to show the image after authentication? That way user should know that his account has been hacked and can take steps immediately... maybe not... for some reason phishing always works most of the time with less advanced users... especially if it's a direct target... I don't think there is a way to make a 100% phishing proof site... there are just some ways to make it harder and harder.
m0s
2010-05-17 02:06:44
A:
I don't like the pricetag, and I'm not entirely convinced of the usefulness, but EV SSL is touted as a preventative measure.
Also, as m0s points out, showing user-selected information like pictures at some point during or after the authentication process is a step being taken by some sites, like banks.
The Anti-Phishing Working Group has a list of solutions directed towards web developers.
None of these things is a surefire solution, since the real key is user education and caution, but they certainly can't hurt.
Tim Ridgely
2010-05-17 02:14:26