You know what, this is a phisher's dream. Even if we could trust this website for not saving the data, the connection is a regular non-secure connection, so all somebody would have to do is catch some open wireless connections or similar.
I'm not convinced that this will help so much here. Assuming that victims won't be checking for SSL, getting someone to an insecure copy of the site will do. I don't see how this would be your problem, though.
Another way this could be a good scheme is if people trust it and start sending it as a way to educate people, and when it starts getting momentum, it is changed and does start recording numbers.
I'd remove the negativity from the start. Putting "This is a test, you have failed it" right in front of folks is an instant turn-off, and might lead people away from your page instead of to the helpful content below.
More bullet points. There's not a whole lot of text there now, but anything you can do to get the message across with fewer words is a win, especially when dealing with non-technical folks.
Under "look at the address bar", you have:
A common phishing trick is to have a domain like amazon.com.not.ru, which steals your credentials when you try to log in. The actual domain in this example is "not.ru," but people often only check to see if the string "amazon.com" is anywhere in the address bar.
I'd change that to not use the word "string" since non-tech-folks don't parse that very well, and maybe include screenshots of an address bar containing the real Amazon.com and a phishing site disguised as Amazon.
Edit: I used the "you fail" message because I think it makes people more likely to remember it. I wanted to say something like "your credit card has been stolen. kthxbye." but that would have caused some false alarms.
It's hard to have a memorable message without it causing offense or panic.
Also on my TODO: add a counter for those who put 16 digits in the credit card field.
Extra edit: nfriendly: Thanks for the styling suggestion.
"If asked for your password, do not give it out. Real websites will never ask you for your password. (Login forms excepted, of course.)"
This is confusing, in my opinion. It's hard to explain the difference between a login form and a page asking for your password, so it's probably worth just leaving this out. Any phisher worth his salt makes the page asking for a password look like a login form anyway.
Could you perhaps write some Javascript to check the check digit and submit just whether it was correct or not? Then you could have some stats on how many people are gullible vs. just curious.
I havent particularly been following it, but is there any real solution to phishing? with punycode domains and arbitrary tld's, along with characters that look the same in a lot of fonts, l and I, people need a cs degree to figure out if they are being phished.
I guess paypal and a small number of verified payment processors, (or real online banking) are about the only option.
Single-use credit card numbers (and one-time passwords) would help a ton. Multifactor authentication of any kind would also be good. The problem with all of these ideas is that they're harder to use than fixed CC numbers and passwords.
I do like the convenience of being able to memorize a password or CC number though.
Yes, and it's very simple. Don't type anything important unless you also typed the URL into the address bar. Plenty of real mail from reputable, very phishable, sites actually say exactly this in their real emails-to-customers sometimes.
39 comments
[ 4.9 ms ] story [ 104 ms ] threadthey are both 'pending', since apparently, having 'credit card' in your domain is suspicious: http://ismycreditcardstolen.com/anti-phishing.jpg
Security is a strange beast.
Edit: yeah I would normally never use JS for validation.
Edit: although I suppose you can have an exception in this case :-)
I'd remove the negativity from the start. Putting "This is a test, you have failed it" right in front of folks is an instant turn-off, and might lead people away from your page instead of to the helpful content below.
More bullet points. There's not a whole lot of text there now, but anything you can do to get the message across with fewer words is a win, especially when dealing with non-technical folks.
Under "look at the address bar", you have: A common phishing trick is to have a domain like amazon.com.not.ru, which steals your credentials when you try to log in. The actual domain in this example is "not.ru," but people often only check to see if the string "amazon.com" is anywhere in the address bar.
I'd change that to not use the word "string" since non-tech-folks don't parse that very well, and maybe include screenshots of an address bar containing the real Amazon.com and a phishing site disguised as Amazon.
Still though, good idea!
Edit: I used the "you fail" message because I think it makes people more likely to remember it. I wanted to say something like "your credit card has been stolen. kthxbye." but that would have caused some false alarms.
It's hard to have a memorable message without it causing offense or panic.
Also on my TODO: add a counter for those who put 16 digits in the credit card field.
Extra edit: nfriendly: Thanks for the styling suggestion.
This is confusing, in my opinion. It's hard to explain the difference between a login form and a page asking for your password, so it's probably worth just leaving this out. Any phisher worth his salt makes the page asking for a password look like a login form anyway.
I guess paypal and a small number of verified payment processors, (or real online banking) are about the only option.
I do like the convenience of being able to memorize a password or CC number though.
Laziness, of course, is a problem also.
2) Get a bunch of educated people to review it for 3-5 days and approve of it.
3) Wait until the educated people send links of this to their non-internet literate friends, for education, shits and harmless giggles.
4) Switch to a live form that captures data.
6) Profit
During its three-hour run, nearly 6000 people (20%) tried to give me their google account credentials.
http://www.reddit.com/r/programming/comments/bpy7h/think_you...
"This web page at ismycreditcardstolen.com has been reported as a web forgery and has been blocked based on your security preferences."
So anti-phishing folks got accused for phishing. Looks it was technically nice idea but terrible user experience.
Unless of course there WAS a hidden agenda here.