-1

Seeing as phishing is getting more popular and users are becoming less concerned about security, I am trying to come up with a solution for a new site of mine that can stop phishers. For instance, any one can create a new site that looks exactly like Gmail and phish users to it in order to obtain their UN/PW.

However, what if we made the user pick their subdomain at registration? They can only login on this subdomain, ie. mysubdomainchoice.domain.com. Now when the phisher gets the credentials from an innocent user, he no longer knows where he can apply them. After several invalid login attempts we can safely lockout the user and have them change their un/pw if they come to their correct subdomain and answer their security questions.

Is this a valid way of defending against phishing and have others thought of this before?

ElectricSignal
  • 33
  • 6

1 Answers1

1

In the way you described it, the sub domain name is another form of a credential, like a username or password. So it is as if the user is challenged with 3 inputs, instead of 2. Which is a bit better, but not a huge deal.

As soon as the phishers know the system works like that, they will just start phishing for the subdomain also. And it is worse than just asking for an additional passcode, because trying to access the subdomain is sort of giving confirmation the have a living one. Security by obscurity is not a best practice,

Good that you're thinking out of the box though!

  • Hmm, well since the subdomain will only be entered in the address bar it's not technically an input, but an address. But I do wonder if phishers will ask the user for their subdomain and get that as well. – ElectricSignal Oct 13 '13 at 17:45