Comments on: How to defeat Phishing http://www.ghacks.net/2008/01/06/how-to-defeat-phishing/ A technology blog covering software, mobile phones, gadgets, security, the Internet and other relevant areas. Wed, 25 Nov 2009 06:51:26 -0600 http://wordpress.org/?v=2.8.6 hourly 1 By: Martin http://www.ghacks.net/2008/01/06/how-to-defeat-phishing/#comment-231922 Martin Sun, 06 Jan 2008 17:03:42 +0000 http://www.ghacks.net/2008/01/06/how-to-defeat-phishing/#comment-231922 Kurt I personally don't think that spammers will start sending mails out to guessed emails, e.g. if they found at ghacks@gmail.com they will not send out mails to ghacks+something@gmail.com because it is highly ineffective. And you do not have to remember the virtual email address at all because you are not going to use it. You receive official mail from those sites to it and that's it. No need to remember. Kurt I personally don’t think that spammers will start sending mails out to guessed emails, e.g. if they found at ghacks@gmail.com they will not send out mails to ghacks+something@gmail.com because it is highly ineffective.

And you do not have to remember the virtual email address at all because you are not going to use it. You receive official mail from those sites to it and that’s it. No need to remember.

]]> By: kurt wismer http://www.ghacks.net/2008/01/06/how-to-defeat-phishing/#comment-231905 kurt wismer Sun, 06 Jan 2008 16:42:05 +0000 http://www.ghacks.net/2008/01/06/how-to-defeat-phishing/#comment-231905 yes, *if* you do it right you certainly can make guessing a lot harder... who's going to know/remember to do that? who's going to remember which random number they chose for paypal? will they use the same random number for everything or a different one for each virtual address? how will they pick their random characters (given that the human brain has an exploitable weakness when it comes to intentionally generating randomness - 17 is apparently the most random number between 1 and 20 for example)? and using random characters wasn't in your original article, by the way... yes, *if* you do it right you certainly can make guessing a lot harder… who’s going to know/remember to do that? who’s going to remember which random number they chose for paypal? will they use the same random number for everything or a different one for each virtual address? how will they pick their random characters (given that the human brain has an exploitable weakness when it comes to intentionally generating randomness – 17 is apparently the most random number between 1 and 20 for example)?

and using random characters wasn’t in your original article, by the way…

]]> By: Martin http://www.ghacks.net/2008/01/06/how-to-defeat-phishing/#comment-231677 Martin Sun, 06 Jan 2008 09:01:28 +0000 http://www.ghacks.net/2008/01/06/how-to-defeat-phishing/#comment-231677 Kurt guessing mails is an almost impossible task if you do it right. You should not use ghacks+paypal@gmail.com of course. But what about ghacks+paypalcomXXX@gmail.com where XXX are three random chars. I think it is only possible to defeat this if either your computer or the service network gets hacked. You could use unique emails for every service as well but I think that using virtual mails is faster and does not require that much work. Kurt guessing mails is an almost impossible task if you do it right. You should not use ghacks+paypal@gmail.com of course. But what about ghacks+paypalcomXXX@gmail.com where XXX are three random chars.

I think it is only possible to defeat this if either your computer or the service network gets hacked.

You could use unique emails for every service as well but I think that using virtual mails is faster and does not require that much work.

]]> By: kurt wismer http://www.ghacks.net/2008/01/06/how-to-defeat-phishing/#comment-231390 kurt wismer Sun, 06 Jan 2008 00:20:51 +0000 http://www.ghacks.net/2008/01/06/how-to-defeat-phishing/#comment-231390 hmmm, i suppose that works too, but i don't think it's very future-proof... what i mean is that when everyone starts using that method the phishers will simply start guessing what your virtual addresses are... people are probably going to do as you did and use the website name in the address so it shouldn't actually be that hard for the phishers to guess... sneakemail addresses, on the other hand, are random alphanumeric strings that are basically unguessable... hmmm, i suppose that works too, but i don’t think it’s very future-proof… what i mean is that when everyone starts using that method the phishers will simply start guessing what your virtual addresses are… people are probably going to do as you did and use the website name in the address so it shouldn’t actually be that hard for the phishers to guess… sneakemail addresses, on the other hand, are random alphanumeric strings that are basically unguessable…

]]>