Slashdot Mirror

← Back to Stories (view on slashdot.org)

10 Anti-Phishing Firefox Extensions

Posted by CowboyNeal on from the lock-the-windows dept.

An anonymous reader writes "A list of 10 anti-phishing Firefox extensions was published at Security-Hacks: 'For most Internet users, defending against phishing attacks is a top priority. One popular way to combat phishing attacks is to maintain a list of known phishing sites and to check web sites against the list.'"

3 of 129 comments (clear)

  1. Firefox 2 by SteveAyre · · Score: 3, Informative

    Or just upgrade to Firefox 2, which has the feature built in.

    1. Re:Firefox 2 by dteichman2 · · Score: 4, Informative

      Actually, FF3 uses less RAM than my FF2 install. So shove it.

      --


      Silence is golden... and duct tape is silver.
  2. The problem is the authentication mechanism! by SplatMan_DK · · Score: 3, Informative

    Most modern phising is done very professionally, and the pages totally mimic the real thing. I recently received a phising e-mail regarding PayPal accounts and out of curiosity I took a look at it. The result was shocking. The page I was directed to was an exact duplicate of the real PayPal system. The link I followed did not use scripting. It did belong to the wrong domain, but most normal users would not have noticed it. Copy-pasting the link would not have made any difference.

    The "fix" against phising is a better authentication method.

    For some reason, many banks and payment providers in the US only use username/password (one-factor) authentication. In Europe most banks use at least a 2-factor security system, where the logon information is combined with either a physical security token (RSA or similar), an encryption key file, a supplemental 6 digit PIN sent by SMS to the user, etc.

    The whole approach attempting to eliminate phising by filtering webpages, making fancy browser plugings or stuff a lot of security-bloatware on the computers is essentially wrong. The only reason simple phising attacks work is because the authentication mechanism is way too simple.

    Adding another factor of security to the systems is a trivial task in terms of programming and implementation. And it works - the European home banking systems are the proof of that.

    Phising gets a lot more difficult when SMS messages, encryption keys or physical tokens are involved in the logon procedure. Since all these methods have been well explained and documented in books ranging back to the early 80's, I really don't understand why these simple methods are so largely ignored...

    --
    My security clearance is so high I have to kill myself if I remember I have it...