A Day in Paradise

A lot of people I know just lost the use of their Yahoo accounts due to falling for a simple phishing attack. The attack involves a Geocities web page which includes a Yahoo login page which prompts you for your password before connecting you to Yahoo! Photos.

It’s an obvious and simple phishing tactic, however in my opinion this particular attack is is made more dangerous by the fact that Yahoo seems to think that continually requesting your password makes your user information more secure. Does entering my password a couple times per session make my personal information more secure?

I sign into mail, enter my password, want to change my personal information, enter my password, surf over to 360, enter my password (twice?), get an IM from my sister with a link to a (yahoo) geocities site, get prompted to enter my password to view her photo.yahoo.com account… oops, that last one was a phishing site.

Yes, I should have known better, but the fact that “for my security” Yahoo makes me enter my password throughout the day depending on what site I am on and whether or not I am coming from the right subdomain, makes it even more difficult for me to distinguish a phishing attempt from a legitimate “for my security” password check. Thankfully as I hit the submit button I realized the stupidity of my actions and quickly changed my password, but unfortunately a couple people I knew weren’t as lucky.

Now I’m not beating up on Yahoo, but thanks to Google’s “evil cookie” I am very suspicious of any time Google asks me for my username and password.

Social engineering is effective, and when you’re building an application for millions of non-technical people you have to ask, what is more likely “A user looses personal information because they leave themselves signed in on a public terminal” or “A user looses personal information because they are prompted for their username and password and supply it one time too many.”

In the same line of thought, do any of you Yahoos know of a way how people who have had their accounts hijacked can get them back? Specifically people who don’t recall what set of “personal information” they used when they initially signed up with Yahoo.

This entry was posted on Tuesday, January 24th, 2006 at 4:50 pm and is filed under PHP. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.