Re: new citibank site uses wrong URL, certificate ?

2005-06-19 Thread Amir Herzberg
Ian G wrote: Ha! I think I figured it out ... Well, yes, as you'll see in another note, I also realized this... There are TWO banks, one is CitiBank and the other is CityBank! If you go to CityBank.com you get to the below. If you go to CitiBank.com you get to the above. Right... My apol

Re: new citibank site uses wrong URL, certificate ?

2005-06-19 Thread Amir Herzberg
Oops, sorry, my mistake, I typed citybank.com instead of citibank.com... Amir p.s. Citybank is a community bank (and yes, _they_ use unprotected login... but CitiBank is Ok). Amir Herzberg wrote: Hi, I noted that Citibank changed their login form at http://CitiBank.com. It now points you at t

Re: Criteria for an antiphishing tool

2005-06-19 Thread Tyler Close
On 6/19/05, Heikki Toivonen <[EMAIL PROTECTED]> wrote: > Tyler Close wrote: > > No, the current SSL UI is *never* easy to use. I challenge you to > > provide even a single counter-example. > > Ok, for example if you always type the URL to go to your bank's SSL > site, or use a bookmark. The user

Re: Criteria for an antiphishing tool

2005-06-19 Thread Heikki Toivonen
Tyler Close wrote: >>>On 6/18/05, Heikki Toivonen <[EMAIL PROTECTED]> wrote: >>> 4. No (or minimal) input from user. > > In this case, a user study shows that your instincts for what are > needed in an anti-phishing tool were wrong. It's OK to admit begin What is really needed and what th

Re: Criteria for an antiphishing tool

2005-06-19 Thread Ian G
On Sunday 19 June 2005 19:51, Heikki Toivonen wrote: > Ian G wrote: > > Coupled with the emphasis on "the search for the > > revenue stream" and a bunch of crypto venders who > > thought their time had come, the scene was set for a > > very big approach to this threat. They didn't adopt > > the or

Re: Criteria for an antiphishing tool

2005-06-19 Thread Tyler Close
Hi Heikki, On 6/19/05, Heikki Toivonen <[EMAIL PROTECTED]> wrote: > Tyler Close wrote: > > On 6/18/05, Heikki Toivonen <[EMAIL PROTECTED]> wrote: > > > >> 4. No (or minimal) input from user. > > > > At the TIPPI workshop, a user study was presented that showed that > > passive anti-phishing to

Re: Criteria for an antiphishing tool

2005-06-19 Thread Heikki Toivonen
Tyler Close wrote: >>Maybe you weren't paying attention, or maybe the word input is not as >>precise as I thought it is. I said *input* - meaning the user must >>enter some data to the system. > > Ah, I see. So if we demand users memorize and verify identification > credentials, instead of provid

Re: Criteria for an antiphishing tool

2005-06-19 Thread Heikki Toivonen
Tyler Close wrote: > On 6/18/05, Heikki Toivonen <[EMAIL PROTECTED]> wrote: > >> 4. No (or minimal) input from user. > > At the TIPPI workshop, a user study was presented that showed that > passive anti-phishing tools such as those provided by Firefox, > Netcraft and others failed to protect

Re: Criteria for an antiphishing tool

2005-06-19 Thread Tyler Close
On 6/18/05, Heikki Toivonen <[EMAIL PROTECTED]> wrote: > 4. No (or minimal) input from user. To drive home just how misguided this requirement is, I'd like to share with you some data from a recent anti-phishing workshop at Stanford. At the TIPPI workshop, a user study was presented that sho

Re: Criteria for an antiphishing tool

2005-06-19 Thread Tyler Close
On 6/18/05, Heikki Toivonen <[EMAIL PROTECTED]> wrote: > Tyler Close wrote: > > On 6/18/05, Heikki Toivonen <[EMAIL PROTECTED]> wrote: > >>Current SSL system generally requires no input from user (exceptions are > >>when some problem with the certificate the server presents). > > > > The above stat

Re: Criteria for an antiphishing tool

2005-06-19 Thread Heikki Toivonen
Ian G wrote: > Coupled with the emphasis on "the search for the > revenue stream" and a bunch of crypto venders who > thought their time had come, the scene was set for a > very big approach to this threat. They didn't adopt > the original threat model, but picked up a military- > inspired threat

Re: User effort

2005-06-19 Thread Heikki Toivonen
Duane wrote: > In the end they decided to try it and now they enter the website address > of their bank each time (they don't use bookmarks or click on links in > emails) to make sure they connect to the right site each time. So So for them the current SSL model is actually enough. -- Heikki T

Re: new citibank site uses wrong URL, certificate ?

2005-06-19 Thread Ian G
On Sunday 19 June 2005 16:17, Ian G wrote: > On Sunday 19 June 2005 16:51, Amir Herzberg wrote: > > Hi, I noted that Citibank changed their login form at > > http://CitiBank.com. It now points you at the site: > > > I followed the above to this: > http://CitiBank.com/us/index.htm > then clicked

Re: new citibank site uses wrong URL, certificate ?

2005-06-19 Thread Ian G
On Sunday 19 June 2005 16:51, Amir Herzberg wrote: > Hi, I noted that Citibank changed their login form at > http://CitiBank.com. It now points you at the site: I followed the above to this: http://CitiBank.com/us/index.htm then clicked on "* sign on" to get to this: https://web.da-us.citibank.c

new citibank site uses wrong URL, certificate ?

2005-06-19 Thread Amir Herzberg
Hi, I noted that Citibank changed their login form at http://CitiBank.com. It now points you at the site: https://cib.ibanking-services.com/cib/login.jsp?FIORG=775&FIFID=125106986&id=1449852460 Ignore the parameters... notice the domain, ibanking-services.com! And whois reveals it belongs to M

Re: Criteria for an antiphishing tool

2005-06-19 Thread Ian G
On Sunday 19 June 2005 01:05, Tyler Close wrote: > I think it's also important that we move beyond the "blame the > customer" phase of this failure. Phishing occurs not because the user > is lazy and stupid, but because the current SSL UI is lazy and stupid. > The current SSL UI just blindly displ

Re: User effort

2005-06-19 Thread Duane
Tyler Close wrote: Heikki, can you point to any user survey that shows that the typical user has no fear of money being stolen from their online bank account? I spent hours and hours and hours trying to convince my parents to use internet banking as it has real benefits over telephone banking