On 8/29/2019 11:07 AM, Nick Lamb via dev-security-policy wrote:
...
If you _work_ for such an institution [e.g.,a bank], the best thing
you could do to
protect your customers against Phishing, a very popular attack that
TLS is often expected to mitigate, is offer WebAuthn....
You also could (1) use only one domain for everything (including email),
and tell your customers on every login that that is the only legitimate
domain; (2) use only one customer service number for everything, and
ditto the customer notices.
The contrary (badly-insecure) practices are very common. I receive
several such calls each year purporting to be from financial
institutions at which I have accounts. So far, none have been phishes,
but I always call back the customer service number that I originally
obtained from the institution's website, and always submit a security
ticket about this issue. It never gets fixed.
-R
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
