What are the best ways to prevent your website from being Phished? Please cite some technical suggestions and references if possible.
Thank you!
Asked
Active
Viewed 4,441 times
7
-
11Don't have it read email and believe everything it sees. Since when is Phishing something that happens to web sites as opposed to gullible end users? – bmargulies May 17 '10 at 01:44
-
@bmargulies, I agree with you to a point; however, I can see the value in making a site less prone to phishing attacks, especially if the site handles money. Typical compromises between security and usability apply. If we can do something nifty and smart to make the 'net a safer place for my grandparents, then great. – Tim Ridgely May 17 '10 at 02:08
-
@Tim I'm uncharacteristically not sarcastic here. I think you need to add more detail to your question to flesh out the idea of 'a web site being phished.' – bmargulies May 17 '10 at 12:21
-
1Not my question, but my view is that you'd use elements on your site that are: 1. recognizable to end users, 2. difficult for an attacker to duplicate. Phishing relies on the user having the same experience on the attacker's site as on the real site. – Tim Ridgely May 17 '10 at 14:17
8 Answers
8
Websites aren't phished -- users are. The most you can do is get an SSL certificate and, on your login screen, make a huge deal about golden padlocks and domain names (thanks codeka) and such.
zildjohn01
- 11,339
- 6
- 52
- 58
-
2Surely the OP means, how does a website implement techniques to prevent its users from being phished.. – B T Mar 27 '17 at 18:51
2
Not sure if this is what you mean, but sometimes websites can be "hijacked" using CSRF or XSS attacks.
XSS can particularly happen when you allow users to enter arbitrary text and don't ensure they're not entering arbitrary HTML code.
CSRF can happen if you don't ensure a link someone clicks in their browser originated from your website (they can authenticate on your website, get a cookie indicating they're authenticated, open a new tab, and be tricked into clicking a link on another website in the other tab that points to your website and causes some action to happen there).
Those links discuss mitigation strategies.
Eric J.
- 147,927
- 63
- 340
- 553
1
You can use one time password(OTP) via mobile sms or email to prevent phishing attack. And instead of asking OTP for all logins, you can do it once whenever there is a new IP. This was it can be less annoying for the user.
Arun Ghosh
- 7,634
- 1
- 26
- 38
-
This won't prevent your password from being stolen, but can prevent it from being successfully used (on that one website). – B T Mar 27 '17 at 18:55
0
What result shows may not be phishing but one thing I noticed about the phishing site is that there are many folders with 32 character long and these folders are many. Inside each folder you may find phishing content. Use following command to find the folders with 32 character long name and scan manually to check if it is phishing or not.
#find /home*/*/public_html/* -type d -name "????????????????????????????????" > phishing.txt
You are free to use other techniques and can share if you like.
Prakash
- 279
- 1
- 6
- 18
0
I think phishing can vary a lot from web site to users. I can set up a new gmail website with a different domain name like gmai1.com (the number 1 not l) and send it to everybody to login to my email. How can you prevent it? The users usally have to be careful. It is really hard to have a silver bullet here
vodkhang
- 18,639
- 11
- 76
- 110
0
Talk about using secure browsers (not IE) and about site verification issues that involve simple checking (a green domain name "certificate" next to the URI in Firefox that's green indicates a verified site). Edit: this particular method hence defeats fake sites that use similarly-printed characters (Cyrillic, etc)
Delan Azabani
- 79,602
- 28
- 170
- 210
0
BOFA website does something interesting that I really like, and I do believe it helps. They make you choose an image icon from set when you register your account, and every time when you login it displays this image... if the image is not the same or not present its a sign for the user that they are being ....
m0s
- 4,250
- 9
- 41
- 64
-
PNC does this as well, but unless I'm missing something, it just seems like it makes phishing more challenging, not outright impossible. The phisherman now has to take the username I present, go out to my bank's page and get my picture, and show it to me. I suppose the bank could look for multiple requests from the same endpoint for a variety of usernames to try and track it down or stop it early. – Tim Ridgely May 17 '10 at 02:00
-
Wouldn't be better to show the image after authentication? That way user should know that his account has been hacked and can take steps immediately... maybe not... for some reason phishing always works most of the time with less advanced users... especially if it's a direct target... I don't think there is a way to make a 100% phishing proof site... there are just some ways to make it harder and harder. – m0s May 17 '10 at 02:06
-
security images are ineffective: https://security.stackexchange.com/questions/19155/effectiveness-of-security-images – kkurian May 04 '18 at 21:37
0
I don't like the pricetag, and I'm not entirely convinced of the usefulness, but EV SSL is touted as a preventative measure.
Also, as m0s points out, showing user-selected information like pictures at some point during or after the authentication process is a step being taken by some sites, like banks.
The Anti-Phishing Working Group has a list of solutions directed towards web developers.
None of these things is a surefire solution, since the real key is user education and caution, but they certainly can't hurt.
Tim Ridgely
- 2,400
- 1
- 18
- 25
-
-
"Secure images" have been dubbed "worse than useless" because they give a false sense of security without any actual security: http://www.marketwatch.com/story/banks-find-online-security-images-offer-little-protection-2015-11-05 . The problem is that an attacker could easily gain access to the "secure" image. – B T Mar 27 '17 at 18:54