with their e-mail addresses as their login name, he said. They also require additional information for registration or password reminders, or use other security measures.
eBay is one online business that does not allow registration and password reminder attacks. The auction Web site stopped using e-mail addresses as user IDs before phishing became an issue, and it has taken other protective measures in its registration and password-reminder process, said Scott Shipman, senior counsel for eBay's global privacy practice.
"It is all designed to prevent the unauthorized disclosure of information, be it the simplest piece of information, such as whether or not that e-mail address or user id is actually a valid user ID on the site," Shipman said.
In eBay's case, the reminder feature for user IDs gives the same response, regardless of whether the e-mail address is registered with the site. "The language of the error message will not tell you whether or not it was a valid account," Shipman said.
What will foil an attack?
The technique works only if the site generates different responses for registered and unregistered e-mail addresses.
Source: Blue Security
Designing a Web site to not leak information about users is what all site operators should do, the eBay executive added. "It is an example of a type of practice that is a best practice," he said.
Hostile profiling is only one way phishing messages are getting more targeted. Earlier this month, security researchers reported that stolen consumer data was used in phishing scams to rip off individual account holders at specific banks.
Jevans at the Anti-Phishing Working Group said that Blue Security's study highlights an emerging phishing threat, and agreed that online organizations should take steps to eliminate vulnerable registration and password-reminder features.
"I think the research is real. You can certainly code your site to not do that, and you probably should," he said.
Play video
There are currently no comments for this post.