More on Phishing

The guys at Pauldotocm Security Weekly mentioned a paper about how the SiteKey service used by Bank Of America can be fairly easily bypassed and used to Phish your login credentials. The paper was done by Stop-Phishing Research Group at Indiana University. You can find the paper on Slight Paranoia. This is really good reading. I haven't read all the comments yet, but am hoping to get around to it later this weekend.

The thing that really caught my attention is that (as in all phishing attacks) this is possible because users don't pay attention. If you are on your own computer and aren't presented with the SiteKey image most people make the assumption that something happened and it is OK. So they nonchalantly reenter their information and suddenly they have been caught. Once again if we can just teach people the importance of paying attention when they are online we will eliminate most successful phishing attempts.