Print this article | E-mail this article | Comment on this article

Yahoo Adds Login Phishing Protection

By Nate Mook, BetaNews

August 23, 2006, 2:00 PM

In an effort to curb the influx of phishing scams that attempt to fool users into logging onto a illegitimate Web site, Yahoo is now enabling its users to customize their sign in box with a personal seal. The idea is that users would spot the graphic and know they are truly on Yahoo and not some malicious site.

A number of banks including Bank of America have taken a similar approach with their authentication methods. Yahoo users can either upload an image or select a line of text that would appear only to them. However, because the feature utilizes cookies, it does not work on public computers and deleting the cookie would reset the login box to normal.

Add a Comment (10 Comments)

BetaNews reserves the right to remove any comment at any time for any reason. Please keep your responses appropriate and on topic. Foul language and personal attacks will not be tolerated.

By darshanshah

edited Aug 25, 2006 - 1:14 PM

I had Blackberry setup to access my yahoo email account and since yesterday I am not able to login to the Yahoo mail....is that because my Blackberry was constantly trying to access the account and eventually the account get locked up, maybe?

Score: 0

By jshurst

posted Aug 24, 2006 - 9:54 AM

I haven't tried this out yet, but I will say that I love yahoo's beta mail. Very good and well written site that heavily uses AJAX. I really like where yahoo is going (although I must admit I only use them for mail ;-)

Score: 0

By SteveJohnSteele

posted Aug 24, 2006 - 12:58 AM

I've just created a 'seal'

Then I went to test it ...
1. Sign-in at www.yahoo.com ... no seal
2. Sign-in at mail.yahoo.com ... no seal

doesnt appear to work

maybe its so new they havent implimented it on all their sites yet

Score: 0

By sophist_dreams

posted Aug 24, 2006 - 8:08 AM

Worked for me. I really don't see what use it is (other than having a cute little thumbnail of my dog on the sign in page) just thought I'd see if it was easy to do and/or actually worked. I did it without using yahoo tool bar also.

Score: 0

By castiglione

posted Aug 24, 2006 - 1:14 AM

Works for me. I use Yahoo Toolbar, and I am currently re-signing in, and I see my seal. I guess it's on an individual basis that it's not working.

Score: 0

By The MAZZTer

edited Aug 23, 2006 - 7:54 PM

This has an obvious flaw. It only works if Yahoo expects you. This can be easily worked around by presenting blank username and password boxes. Yahoo can't personalize them when they don't know who you are yet, and thus those can be imitated easily.

I nice idea, but a determined phisher can create a new textbox and write the server side code for harvesting your username in under 30 minutes, which is far less time it must've taken Yahoo to implement this feature.

Not to mention it may be possible for a server to retrieve your personalized seal with a bit of work (it would have to trick the Yahoo server into thinking it's you returning... and then the Yahoo server just hands the personalized seal to the bogus server, which injects it right in the bogus page. Not sure if this is possible or not, but certainty easier than making them think you're logged in, as no password is needed).

Score: 0

By IOMO

edited Aug 24, 2006 - 9:43 AM

If it uses cookies it sounds like it would keep a cookie with the yahoo username of the last known person to use that account on that computer in, which would then be sent to yahoo when you next access the page. Yahoo would then look up the personalised message/image and stick it on the page that gets returned to the browser. The image and text appear next to the login box (which are already blank) or just above it (not inside it, as I think you were suggesting).
For the server to retrieve the seal it would have to gain access to the cookie that contains the yahoo username (not sure how easy that is).

It won't work in a public system as you probably wouldn't be the last person to use the computer (assuming you have to use a shared account). They could always use a system where you put in your username and it returns the seal (AJAX?), but this would let the phishers get part of the login info (username) unless they just randomly generated a seal (something believable) that could be meaningless for whatever is entered (only you would recognise that it was your seal and not something random).