Computer Crime Research Center


Passwords vulnerable to phishing

Date: August 09, 2006

The ultimate solution to phishing is strong authentication, which requires client software, usually in conjunction with a physical token. However, widespread resistance to managing software and handling physical tokens means that universal strong authentication is not currently feasible. For users who cannot be strongly authenticated, financial services companies are seeking a zero footprint solution that not only provides some phishing protection, but also provides a frictionless growth path to stronger authentication in the future.

Why Passwords Are Vulnerable to Phishing
The main reason passwords are vulnerable is that they are shared secrets. The user types the password into a web page and hits submit. The password is sent over the Internet to the web server, where it is validated against a "master password file." The number of potential attacks against this system are myriad, but the ones most relevant to phishing are:

The user types password into fake web site, giving the password to the phisher

The user sends password in response to phishing email

A Trojan or keystroke logger captures password at desktop
Original article

Add comment  Email to a Friend

Copyright © 2001-2013 Computer Crime Research Center
CCRC logo