Gervase Markham wrote:
Idea off the top of my head - please tell me why it won't work.

Could we parse all form submissions over unencrypted channels and put up an alert ("You _really_ don't want to do this!") if any of the fields was a sixteen-digit number which passed the credit-card-number checksum algorithm?


Much of phishing isn't about credit card details so
much as *any* information.  And, as attackers are able
to adjust their policies to suit what's out there,
they could also make their sites foil the checks.

(Phisher programmers almost certainly haunt these
maillists...)

Also, I'm not sure whether the drain on CPU would be
worth the benefit?

Which isn't to say that I don't think it will work,
that's just a couple of reasons why it might not be as
efficacious as first thought.

OK, so some places have four boxes for four digits each, but with clever coding, we might be able to catch that version too.

Sounds like an arms race... It's for this reason that most people think about a crypto-inspired solution, as strong keys can't be arms-raced, only bypassed.

iang
--
News and views on what matters in finance+crypto:
        http://financialcryptography.com/
_______________________________________________
Mozilla-security mailing list
Mozilla-security@mozilla.org
http://mail.mozilla.org/listinfo/mozilla-security

Reply via email to