Monday, August 21, 2006

Yahoo! Sign In Seal

Yahoo! has an anti-phishing mechanism called Sign-In Seal.

It's the little badge in the above, the text and colour of which I chose (private joke).

From the FAQ:
What if I don't see my sign-in seal?

You could be on a fraudulent site, but there might be other reasons why you can't see it. For example, someone else using your computer may have deleted or changed your seal, your cookies or files on your computer may have been deleted, or you're using a partner or international Yahoo! site (like BT Yahoo! or Yahoo! India). To be safe, look for these other clues to make sure you're on a genuine Yahoo! sign-in screen.
Given this sort of guidance (essentially "do all those other checks that this mechanism was designed to replace"), a phisher would be crazy to try and simulate a seal, just don't display anything and count on the user being appropriately conditioned by all the valid exceptions listed above.

If Yahoo! had any guts the above guidance would have been 'Play it safe - do not attempt to log-in'.

1 comment:

Rohan Pinto said...

Hi Paul,

I'd blogged about it too... cause I really liked the feature. However, from looking closer at the way the personal signin seal is stored in your cookie, and the cookie domain especially, I'm pretty sure that works underway to simulate a phishing site to force your personal signin seal to appear on the phishing site....

btw: I posted about it on my blog with a few screenshots too...

Cheers

Rohan