There's a new sign-in seal on the Yahoo! login page, which is intended to make phishing attacks more unlikely.
A sign-in seal is a secret message or photo that Yahoo! will display on this computer only. Look for it every time you sign in to make sure you're on a genuine Yahoo! site. If the message, photo, or colors are different, you may have landed on a phishing site.
There might be other techniques to fight phishing, but it is certainly smart to raise awareness. And the technology behind it is clever too. Of course a normal browser cookie would go away from time to time when you (or the browser) clear your cookie cache. So Yahoo! uses so-called Flash SharedObjects which are sort of Flash cookies. They're available cross-browser, and they won't go away normally, because not many people are aware of how to clear these objects.
![Add '[WebAppSec] Sign-in seals against phishing' to Del.icio.us](http://www.rorsecurity.info/wp-content/plugins/social-bookmarking-reloaded/delicious.png "Add '[WebAppSec] Sign-in seals against phishing' to Del.icio.us")
![Add '[WebAppSec] Sign-in seals against phishing' to digg](http://www.rorsecurity.info/wp-content/plugins/social-bookmarking-reloaded/digg.png "Add '[WebAppSec] Sign-in seals against phishing' to digg")
![Add '[WebAppSec] Sign-in seals against phishing' to Technorati](http://www.rorsecurity.info/wp-content/plugins/social-bookmarking-reloaded/technorati.png "Add '[WebAppSec] Sign-in seals against phishing' to Technorati")
![Add '[WebAppSec] Sign-in seals against phishing' to Stumble Upon](http://www.rorsecurity.info/wp-content/plugins/social-bookmarking-reloaded/stumbleupon.png "Add '[WebAppSec] Sign-in seals against phishing' to Stumble Upon")
7 responses so far ↓
1 Karl // Mar 13, 2008 at 10:17
Bank of America has been using this for several years. They call it a SiteKey. You select a picture from several they have on the site, and enter a phrase that corresponds to the picture. Every time you go to login, it displays the picture and your phrase. If they don’t match, don’t login.
2 Alex Deva // Mar 13, 2008 at 10:36
“New”?! The Yahoo seal has been there for months!
3 Eric Anderson // Mar 13, 2008 at 11:22
Part of me thinks this is a good idea. The other part of me thinks that 99% of everyday average users will not notice if their personal picture is not displayed if everything else about the page looks like the real Yahoo site.
So it sounds neat but I wonder if you did a study what percentage of people would actually detect they are on a phishing site because of the photo?
4 General LFO // Mar 19, 2008 at 8:34
How do you clear flash cookies??
5 Heiko // Mar 19, 2008 at 10:02
flash shared objects are in my home directory in application data/macromedia/flash player/#sharedobjects
but this might be different on other systems.
6 General LFO // Mar 27, 2008 at 8:34
I think this is security by obscurity. And it really sucks that the bastardizatious Flash has all their cookies neatly tucked away where no (normal) user can touch them! ( There is an old Firefox plugin to remove them, see http://objection.mozdev.org/ )
7 Hank Beaver // Mar 29, 2008 at 20:04
Site Keys or Seals are proven weak solutions to robust phishing attacks. There are many ways to circumvent a Site Key, using a proxy-man-in-the-middle attack is one. Obviously, SSL is a deterrent from man-in-the-middle. But users have to understand websites, urls and certificate checking.
At the end of the day, using Site Keys is a nice,visual way to let your customer’s know you are proactive about security. But it is far from a silver-bullet to phishing.
Leave a Comment