Hacker News new | past | comments | ask | show | jobs | submit login

The 'personal seal', which some sites put on pages requesting login, would help fight this 'tabnabbing' attack.

I think Yahoo does that, and so does my bank. Of course, one has to bother creating the seal, but it's an easy one-time step.




Kudos to your bank. It's such a simple system for users and so easy for devs to allow a quick image upload I'm surprised it's this uncommon.


I must confess I 'cheated' - I picked this bank because their web site seemed well done (worked in FireFox with no Flash, etc). Also not too intent in nickel-and-diming users.

Actually, besides uploading a pic, they also allow text or a doodle. In case anyone is curious, it's here, in Portuguese: http://www.banif.pt/xsite/Particulares/Banifast/ServicoBanif...;

Their 'password' security is pretty good, too. They have two levels of 8-digit PINs (one to 'read' the account, then another to 'write', i.e. move money out). They only ask for input of 4 out of those 8 digits (randomly, e.g. 3rd, 5th, 6th, 8th), using a on-screen pad (defeats key-logging).


Well, it'll defeat a conventional keylogger, but not one that logs mouse events with accompanying screenshots; or a keylogger that runs a MITM attack.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: