Too much security?
A lot of people I know just lost the use of their Yahoo accounts due to falling for a simple phishing attack. The attack involves a Geocities web page which includes a Yahoo login page which prompts you for your password before connecting you to Yahoo! Photos.
It’s an obvious and simple phishing tactic, however in my opinion this particular attack is is made more dangerous by the fact that Yahoo seems to think that continually requesting your password makes your user information more secure. Does entering my password a couple times per session make my personal information more secure?
I sign into mail, enter my password, want to change my personal information, enter my password, surf over to 360, enter my password (twice?), get an IM from my sister with a link to a (yahoo) geocities site, get prompted to enter my password to view her photo.yahoo.com account… oops, that last one was a phishing site.
Yes, I should have known better, but the fact that “for my security” Yahoo makes me enter my password throughout the day depending on what site I am on and whether or not I am coming from the right subdomain, makes it even more difficult for me to distinguish a phishing attempt from a legitimate “for my security” password check. Thankfully as I hit the submit button I realized the stupidity of my actions and quickly changed my password, but unfortunately a couple people I knew weren’t as lucky.
Now I’m not beating up on Yahoo, but thanks to Google’s “evil cookie” I am very suspicious of any time Google asks me for my username and password.
Social engineering is effective, and when you’re building an application for millions of non-technical people you have to ask, what is more likely “A user looses personal information because they leave themselves signed in on a public terminal” or “A user looses personal information because they are prompted for their username and password and supply it one time too many.”
In the same line of thought, do any of you Yahoos know of a way how people who have had their accounts hijacked can get them back? Specifically people who don’t recall what set of “personal information” they used when they initially signed up with Yahoo.
14 Comments »
RSS feed for comments on this post. TrackBack URL
Footnote: Yes I have set the option to only ask me for my password every 24 hours.
While I want to say I agree that making you enter your password over and over can lead to a user being over zealous, ending of course with them sending it to the wrong host.
On the other hand, I rather like the fact that Mac OS X makes you enter your password to modify any system resource or run an installer, which is rather similar feature.
So I guess I’m a bit undecided on that.
I do think it would be a nice browser feature to remember where a form posts (using the username/password) combination as a key.) So that if you entered your username and password and the form action didn’t match with where that user/pass pair generally went you’d get a warning.
[...] January: Slow month, Sid officially joined our family as “brother”. I weighed in on the PHP Security debate du jour wondering when good security verges on paranoia and the side effects. [...]
massey rating…
SomegifttoME 520378 This page contains some info about massey rating…
Informative professional site, whatmore can i say!!
juliana airport car rental…
juliana airport car rental…
custom car details…
news…
Buy bargain deal online medications here – I can recommend it!
personal assistant in las vegas
chambersburg hospital
chambersburg hospital
avenged sevenfold easy avenged afterlife sevenfold
mcbyndas goqkjdve mlgs byfge znqugtr feanr ozxyirpg
I came accross this website today searching for any informations. I did not find them, but your site was very interesting.