Gervase Markham wrote:
Idea off the top of my head - please tell me why it won't work.
Could we parse all form submissions over unencrypted channels and put up
an alert ("You _really_ don't want to do this!") if any of the fields
was a sixteen-digit number which passed the credit-card-number checksum
algorithm?
Much of phishing isn't about credit card details so
much as *any* information. And, as attackers are able
to adjust their policies to suit what's out there,
they could also make their sites foil the checks.
(Phisher programmers almost certainly haunt these
maillists...)
Also, I'm not sure whether the drain on CPU would be
worth the benefit?
Which isn't to say that I don't think it will work,
that's just a couple of reasons why it might not be as
efficacious as first thought.
OK, so some places have four boxes for four digits each, but with clever
coding, we might be able to catch that version too.
Sounds like an arms race... It's for this reason
that most people think about a crypto-inspired solution,
as strong keys can't be arms-raced, only bypassed.
iang
--
News and views on what matters in finance+crypto:
http://financialcryptography.com/
_______________________________________________
Mozilla-security mailing list
Mozilla-security@mozilla.org
http://mail.mozilla.org/listinfo/mozilla-security
