1

Seeing as phishing is getting more popular and users are becoming less concerned about security, I am trying to come up with a solution for a new site of mine that can stop phishers. For instance, any one can create a new site that looks exactly like Gmail and phish users to it in order to obtain their UN/PW.

However, what if we made the user pick their subdomain at registration? They can only login on this subdomain, ie. mysubdomainchoice.domain.com. Now when the phisher gets the credentials from an innocent user, he no longer knows where he can apply them. After several invalid login attempts we can safely lockout the user and have them change their un/pw if they come to their correct subdomain and answer their security questions.

Is this a valid way of defending against phishing and have others thought of this before?

ElectricSignal
  • 33
  • 6

3 Answers3

2

Let me ask you a question.

Do you really think that your users will be able to remember the subdomain he should be using? I know that I most definitely will not.

So what happens when a user forgets what subdomain he should be using? Chances are he will try out a few of them to see if it works. This will trigger a lockout according to your scheme. Now, you have an angry user calling your support line screaming at you to fix things. An angry user is a careless user.

So what happens if an attacker sends said user a phishing link? After going through the annoying process of screaming at customer service a couple of times, the user will probably not question the fact that he is able to login the very first time through the phishing link. In fact, he will be quite happy.

So no, I don't think this is a good scheme as it has the likelihood of pissing off your users. When it comes to security, you really want users to be on your side.

  • Thanks. Yes, pissing users off seems to be the biggest downfall. But users do remember things like this today except they are paths. Twitter is a good example. – ElectricSignal Oct 13 '13 at 17:35
2

As others have noted the problem still stands. Consider user.example.com versus user.examp1e.com.

Any visual confirmation that they are on the correct site will be overlooked by the careless user, or even taken as valid by the careful, provided it's good enough. Sadly checking each character of the URL is still the only real option.

The only overhead for the attacker is to try and send links with personalized subdomains, but that still won't help you if your users don't check where the click here link points them to.

The login page of my Uni display a warning similar to this one:

Check the address of this web page. It should begin with: https://login.example.com. If it does not — do not continue!

which calls for some vigilance but even so, the attacker might be able to change the displayed URL on the browser so even that's not a foolproof method.

The only defence against phishing is the following:

  • Check the URL
  • Check the URL on the certificate
  • Check the news to see if the destination's CA has been broken into recently
Community
  • 1
rath
  • 406
  • 4
  • 12
  • Thanks for the response. Say the innocent user goes to user.examp1e.com, they have given up their credentials. Where is the phisher going to use those credentials on my site? – ElectricSignal Oct 13 '13 at 17:38
  • @ElectricSignal We tend to use the same password across websites. That said, the phisher now has one of your user's passwords, he can try using it on PayPal, gmail, facebook... whatever works. He can also login as the user and check out private messages, network of friends, everything that your service might offer to hide from the public. It depends on the situation but password reuse is by far the biggest issue. – rath Oct 13 '13 at 20:39
  • I agree with everything you just said. If they use the same un/pw, other sites would be in jeopardy but not mine even though as you pointed out, the data could be common. I know it seems shitty of me to say this but i'm not the phisher and i'm not the other sites. Note that if the other sites used the same technique, we would still be golden too. ; ) – ElectricSignal Oct 13 '13 at 21:18
  • @ElectricSignal Your site is never in jeopardy from phishing attacks. Your users are. They are the target. – rath Oct 13 '13 at 22:07
1

No.

If a user isn't smart enough to verify they are at domain.com before entering their credentials, they sure as hell wont be smart enough to make sure they are at secret.domain.com.

David Houde
  • 5,464
  • 1
  • 27
  • 22
  • If they forget their subdomain, the worst that can happen is I pissed them off as Terry has stated. I still beat the phisher. – ElectricSignal Oct 13 '13 at 17:39
  • You might be able to stop the phisher from logging into the account once the credentials were compromised, but the user is still susceptible to a phishing attack using a fake version of your site. Those credentials can be used other places such as email, where it might be possible to find out the 'secret' domain from an activation email, or even request a reset. – David Houde Oct 14 '13 at 01:33
  • That's true also. Thanks. Overall I have come to the realization that there is really nothing I can do about phishing. – ElectricSignal Oct 14 '13 at 21:27