Ian G wrote:
Ha! I think I figured it out ...
Well, yes, as you'll see in another note, I also realized this...
There are TWO banks, one is CitiBank and the other is CityBank!
If you go to CityBank.com you get to the below. If you go to CitiBank.com
you get to the above.
Right... My apol
Oops, sorry, my mistake, I typed citybank.com instead of citibank.com...
Amir
p.s. Citybank is a community bank (and yes, _they_ use unprotected
login... but CitiBank is Ok).
Amir Herzberg wrote:
Hi, I noted that Citibank changed their login form at
http://CitiBank.com. It now points you at t
On 6/19/05, Heikki Toivonen <[EMAIL PROTECTED]> wrote:
> Tyler Close wrote:
> > No, the current SSL UI is *never* easy to use. I challenge you to
> > provide even a single counter-example.
>
> Ok, for example if you always type the URL to go to your bank's SSL
> site, or use a bookmark.
The user
Tyler Close wrote:
>>>On 6/18/05, Heikki Toivonen <[EMAIL PROTECTED]> wrote:
>>>
4. No (or minimal) input from user.
>
> In this case, a user study shows that your instincts for what are
> needed in an anti-phishing tool were wrong. It's OK to admit begin
What is really needed and what th
On Sunday 19 June 2005 19:51, Heikki Toivonen wrote:
> Ian G wrote:
> > Coupled with the emphasis on "the search for the
> > revenue stream" and a bunch of crypto venders who
> > thought their time had come, the scene was set for a
> > very big approach to this threat. They didn't adopt
> > the or
Hi Heikki,
On 6/19/05, Heikki Toivonen <[EMAIL PROTECTED]> wrote:
> Tyler Close wrote:
> > On 6/18/05, Heikki Toivonen <[EMAIL PROTECTED]> wrote:
> >
> >> 4. No (or minimal) input from user.
> >
> > At the TIPPI workshop, a user study was presented that showed that
> > passive anti-phishing to
Tyler Close wrote:
>>Maybe you weren't paying attention, or maybe the word input is not as
>>precise as I thought it is. I said *input* - meaning the user must
>>enter some data to the system.
>
> Ah, I see. So if we demand users memorize and verify identification
> credentials, instead of provid
Tyler Close wrote:
> On 6/18/05, Heikki Toivonen <[EMAIL PROTECTED]> wrote:
>
>> 4. No (or minimal) input from user.
>
> At the TIPPI workshop, a user study was presented that showed that
> passive anti-phishing tools such as those provided by Firefox,
> Netcraft and others failed to protect
On 6/18/05, Heikki Toivonen <[EMAIL PROTECTED]> wrote:
> 4. No (or minimal) input from user.
To drive home just how misguided this requirement is, I'd like to
share with you some data from a recent anti-phishing workshop at
Stanford.
At the TIPPI workshop, a user study was presented that sho
On 6/18/05, Heikki Toivonen <[EMAIL PROTECTED]> wrote:
> Tyler Close wrote:
> > On 6/18/05, Heikki Toivonen <[EMAIL PROTECTED]> wrote:
> >>Current SSL system generally requires no input from user (exceptions are
> >>when some problem with the certificate the server presents).
> >
> > The above stat
Ian G wrote:
> Coupled with the emphasis on "the search for the
> revenue stream" and a bunch of crypto venders who
> thought their time had come, the scene was set for a
> very big approach to this threat. They didn't adopt
> the original threat model, but picked up a military-
> inspired threat
Duane wrote:
> In the end they decided to try it and now they enter the website address
> of their bank each time (they don't use bookmarks or click on links in
> emails) to make sure they connect to the right site each time. So
So for them the current SSL model is actually enough.
--
Heikki T
On Sunday 19 June 2005 16:17, Ian G wrote:
> On Sunday 19 June 2005 16:51, Amir Herzberg wrote:
> > Hi, I noted that Citibank changed their login form at
> > http://CitiBank.com. It now points you at the site:
>
>
> I followed the above to this:
> http://CitiBank.com/us/index.htm
> then clicked
On Sunday 19 June 2005 16:51, Amir Herzberg wrote:
> Hi, I noted that Citibank changed their login form at
> http://CitiBank.com. It now points you at the site:
I followed the above to this:
http://CitiBank.com/us/index.htm
then clicked on "* sign on" to get to this:
https://web.da-us.citibank.c
Hi, I noted that Citibank changed their login form at
http://CitiBank.com. It now points you at the site:
https://cib.ibanking-services.com/cib/login.jsp?FIORG=775&FIFID=125106986&id=1449852460
Ignore the parameters... notice the domain, ibanking-services.com! And
whois reveals it belongs to M
On Sunday 19 June 2005 01:05, Tyler Close wrote:
> I think it's also important that we move beyond the "blame the
> customer" phase of this failure. Phishing occurs not because the user
> is lazy and stupid, but because the current SSL UI is lazy and stupid.
> The current SSL UI just blindly displ
Tyler Close wrote:
Heikki, can you point to any user survey that shows that the typical
user has no fear of money being stolen from their online bank account?
I spent hours and hours and hours trying to convince my parents to use
internet banking as it has real benefits over telephone banking
17 matches
Mail list logo
