Too much security?

A lot of people I know just lost the use of their Yahoo accounts due to falling for a simple phishing attack. The attack involves a Geocities web page which includes a Yahoo login page which prompts you for your password before connecting you to Yahoo! Photos.

It’s an obvious and simple phishing tactic, however in my opinion this particular attack is is made more dangerous by the fact that Yahoo seems to think that continually requesting your password makes your user information more secure. Does entering my password a couple times per session make my personal information more secure?

I sign into mail, enter my password, want to change my personal information, enter my password, surf over to 360, enter my password (twice?), get an IM from my sister with a link to a (yahoo) geocities site, get prompted to enter my password to view her photo.yahoo.com account… oops, that last one was a phishing site.

Yes, I should have known better, but the fact that “for my security” Yahoo makes me enter my password throughout the day depending on what site I am on and whether or not I am coming from the right subdomain, makes it even more difficult for me to distinguish a phishing attempt from a legitimate “for my security” password check. Thankfully as I hit the submit button I realized the stupidity of my actions and quickly changed my password, but unfortunately a couple people I knew weren’t as lucky.

Now I’m not beating up on Yahoo, but thanks to Google’s “evil cookie” I am very suspicious of any time Google asks me for my username and password.

Social engineering is effective, and when you’re building an application for millions of non-technical people you have to ask, what is more likely “A user looses personal information because they leave themselves signed in on a public terminal” or “A user looses personal information because they are prompted for their username and password and supply it one time too many.”

In the same line of thought, do any of you Yahoos know of a way how people who have had their accounts hijacked can get them back? Specifically people who don’t recall what set of “personal information” they used when they initially signed up with Yahoo.

12 Responses to “Too much security?”

  1. Aaron Wormus Says:

    Footnote: Yes I have set the option to only ask me for my password every 24 hours.

  2. Elliott Says:

    While I want to say I agree that making you enter your password over and over can lead to a user being over zealous, ending of course with them sending it to the wrong host.

    On the other hand, I rather like the fact that Mac OS X makes you enter your password to modify any system resource or run an installer, which is rather similar feature.

    So I guess I’m a bit undecided on that.

    I do think it would be a nice browser feature to remember where a form posts (using the username/password) combination as a key.) So that if you entered your username and password and the form action didn’t match with where that user/pass pair generally went you’d get a warning. :)

  3. A Day In Paradise » Yet another Blog Year-End Review: 2006 Says:

    […] January: Slow month, Sid officially joined our family as “brother”. I weighed in on the PHP Security debate du jour wondering when good security verges on paranoia and the side effects. […]

  4. massey rating Says:

    massey rating…

    SomegifttoME 520378 This page contains some info about massey rating…

  5. Ky__ Mortgage Loan Refinance Floridanance Says:

    Informative professional site, whatmore can i say!!

  6. juliana airport car rental Says:

    juliana airport car rental…

    juliana airport car rental…

  7. custom car details Says:

    custom car details…

    news…

  8. free sports betting Says:

    Buy bargain deal online medications here - I can recommend it!

  9. klira Says:

    personal assistant in las vegas

  10. Vilyambi Says:

    chambersburg hospital

  11. Vilyambi Says:

    chambersburg hospital

  12. sevenfold clairvoyant avenged Says:

    avenged sevenfold easy avenged afterlife sevenfold

Leave a Reply