Single Factor Authentication
A fully transmitted login password or PIN is about as much use in security terms as a chocolate fire safe, as we outlined in the previous article. This is where the username and password are entered in full in the login box, ripe for the picking. What is most incredible is the number of otherwise prestigious sites that use them.
Does the following look familiar?
It should then come as no surprise that Fraudwatch cites PayPal as the most targeted site on Earth for phishers.
Fraudwatch is a site that monitors a variety of types of online fraud. In PayPal's favor is the fact that they are actually listed in Fraudwatch. I'm aware of many online sites that are targets of online fraud, but their names do not even show up in sites like Fraudwatch.
The cynic in the audience might be moved to say "I wonder why?" But let's not dwell on questions that cannot be answered without a trip down to the libel courts.
Here is another type of business that might be concerned with the protection of its customers:
This is Davy Stock Brokers.
Now, a variant on the theme of looking for another piece of data, but in reality, both the password and PIN are equally vulnerable:
Sites that use these systems are really looking for trouble, because it isn't that difficult to actually download the Web code from someone's site. A program such as WGET will grab every object that it can find in a web site and copy it onto your hard disk. You then have a complete copy of this website, down to the images and copyright notices, and even the phishing warnings! It isn't difficult then to comprehend why phishing has been such a successful attack.