[cap-talk] an attack on the pet name tool bar

[David Hopwood]

Ian G wrote:
> OK, so here's the phishing attack against the
> pet name:  Alice's browser is set up to have a
> pet name when browsing to the Bank.com.
> 
> Phisher sends a phish from AuditProcessBank.com
> and says that ("blah blah") and please enter the
> pet name as well as other details into the form.

A bit of an odd request, since only Alice's software can
resolve her pet names and so there's normally no reason why
anyone else would want them, but go on...

> If the user falls victim to this, a second pro-forma
> phish is then created with a false petname bar
> and the other details.  (It would need to be
> indexed off of the user's IP address I guess.)

The problem here is obviously the "false petname bar".
It almost goes without saying that the petname bar must not
be spoofable (e.g. by always displaying it at the top of
all windows that can be used for browsing, and preferably
by distinguishing those from all other windows). Isn't this
true of the security-related GUI elements for any possible
solution, including the TrustBar?

-- 
David Hopwood <david.nospam.hopwood at blueyonder.co.uk>