
Color can prevent your users from getting phished - emeltzz
https://hackernoon.com/how-color-can-prevent-your-users-from-getting-phished-a4f73317474f
======
Semiapies
So, this system, if it ever got wide use, would rely on users remembering
which "unique" colors were randomly assigned to them by whichever sites they
use.

I was thinking, "Gee, if a scanner put a random color bar at the top of the
phishing emails, how often would the color look close enough that the user
couldn't distinguish between it and their own color, at least without
comparing the colors side-by-side?", but I'm not convinced users would even
_remember_ their colors after the second or third one.

(And if course, this is very flawed for the color-blind and utterly useless
for anyone using screen-readers.)

~~~
emeltzz
I think this is a good start--some easy modifications could turn it into a
3-color banner similar to the french or mexican flags, which would be both
easier to remember and less likely for a scammer to guess correctly. Or you
could do randomly generated animals! i.e. "if you don't see a pink bear,
you're being phished"

------
frosted-flakes
The power company where I used to live did something like this for it's online
dashboard, but with images (I think it was Delmarva Power). Every time you
entered your username to log in, it would show you a simple image/line-drawing
and a message saying that if the image ever changes, you're being scammed, so
don't enter your password. I've never seen anything like it since.

As far as colours on emails goes, if everyone starts doing it, nobody will
remember which colour goes with which company. It needs to be something more
distinctive than just a colour band.

~~~
numtel
My credit union had that for years but you had the option to choose from a set
of available images.

They replaced it last year with mandatory SMS 2FA. I immediately sent them a
message about how insecure it is but never received a response. What a
terrible regression.

------
retrobox
This seems great in theory but I can’t help but think the phishing scam would
evolve in to “your account has been hacked and your secret color discovered.
Click here to login and set a new secret color.”

Also, let’s suppose a database of users and their associated color is
compromised but that the intrusion is not immediately detected. This allows
scammers to craft emails with the right color of banner leading to “but the
email has the right color at the top so it can’t be a phishing scam” logic.

It may just shift the problem.

------
cloud_thrasher
This is a long-standing issue and many solutions have been devised. Regardless
of most solutions, it will probably always fail because people don't want to
be bothered with remembering colors, images, configuring PGP, etc. Case in
point, ask anyone how much they are annoyed by reCAPTCHA.

------
wodenokoto
Yahoo had something similar, although all I remember was them bugging me to
choose a color for security, and me trying to ignore it because I didn't care.

I wanna say it was something about colouring the login box, but I can't make
that make sense.

