Comments for Can I prevent phishing attacks by using a bookmark?

Comment from howiem on 2009-06-03

2009-06-03T20:21:42Z

I should have mentioned in my initial question that when one finishes a banking session, one should always log out and then close the browser window/tab. But this is not always possible (if the browser crashes, for example, in which case I restart the browser, log in and log out again. I also use Sandboxie and have separate sandboxes dedicated to each bank I use, plus No-Script and various web analysis tools to alert me to bad web sites.

One of the reasons for using an https bookmark is that as I understand it, a request to visit a web site goes through a Domain Name Server (DNS). Some are secure and some are not. By using the https bookmark, the request to visit a web site goes to a secure DNS and is redirected to the log-in page. Typing in an IP number will go to a non-secure DNS, and if it has been compromised (called DNS poisoning) it will make no difference if you use the normal URL or the IP number. But when using a bookmarked https address, the site visit request will go through a secure DNS, and I have not heard of any of those being compromised to date. Leo, correct me if I am wrong on this.

Using bookmarks do not have any effect of the banking session length, and because using https bookmarks is more secure, why in the world would a bank want to prevent bookmarking them?

I am curious as to how typing the correct IP number makes any difference in security. The request still has to go to an unsecure DNS. If you type the name of the site correctly, the DNS translates it to an IP number anyway, so while there might be a tiny increase in speed, it is no more secure than typing in the CORREC name. And one can make a typo on an IP number just as one can mistype a word. Using a password manager is always a good idea, though, as long as you are sure you are on the genuine web site.

]]>

A comment on: Can I prevent phishing attacks by using a bookmark?

Tech Questions? Get Answers! - Ask Leo! ... by Leo Notenboom
Leo's Answers Newsletter - Ask Leo! in your inbox every week.

Comment from J. Y. on 2009-05-17

2009-05-17T17:02:35Z

Back to the phishing problem... Another circumventing possibility? You can right-click on any link within an email, copy the shortcut and paste it to your browser address bar, see whether it is, indeed, the correct address before actually going to the site.

]]>

A comment on: Can I prevent phishing attacks by using a bookmark?

Tech Questions? Get Answers! - Ask Leo! ... by Leo Notenboom
Leo's Answers Newsletter - Ask Leo! in your inbox every week.

Comment from Linda on 2009-05-12

2009-05-13T03:12:59Z

I'm with all of you. Any bank that keeps you logged in to a secure site is NOT a bank I want to deal with. My bank has a 10 minute interval until you must sign in again. I like it.

For the record, this has nothing to do with bookmarking. It's very reasonable to have a bookmark deep in the bank's site, and have it boucne you to a login page if that's required. (The best will then return you to the page you bookmarked, after you've logged in).

- Leo
13-May-2009

]]>

A comment on: Can I prevent phishing attacks by using a bookmark?

Tech Questions? Get Answers! - Ask Leo! ... by Leo Notenboom
Leo's Answers Newsletter - Ask Leo! in your inbox every week.

Comment from George on 2009-05-12

2009-05-12T19:15:27Z

I agree with the previous comments, you should not be able to bookmark a secure banking site, it should go to the main login page only. In addition I use the ip number for the bank instead of a normal url. This still only takes you to the main login page. I type in the IP# such as 143.0.XXX.XXX. You can also save that in a program such as KeePass or Roboform and it will take you there immediately with auto login if you set it up correctly. Almost the same as using a url, but less chance of being redirected to some phony page.
(¯`·._.·ns¢ävË·._.·´¯)
www.nscave.com

]]>

A comment on: Can I prevent phishing attacks by using a bookmark?

Tech Questions? Get Answers! - Ask Leo! ... by Leo Notenboom
Leo's Answers Newsletter - Ask Leo! in your inbox every week.

Comment from Brad on 2009-05-12

2009-05-12T18:15:07Z

I don't understand the basis of the queestion for this tip. Any bank that allows you to bookmark ANYthing other than their 'front page' or login screen is NO bank I'd want to do business with. What gigi said is true. TRY to bookmark anything 'inside' the bank site. If you CAN bookmark that page...change your bank.

Yikes, that seems kinda harsh. For the record, I disagree. Being able to bookmark a page is benign. One way or another, it's going to happen. Rather than disallowing it, banks should simply be handling the security implications of people using them. Depending on the implementation that could mean, as another commentor has stated, bouncing to a secure login page. But disallowing bookmarks completely is not only overkill, but ineffective.

- Leo
13-May-2009

]]>

A comment on: Can I prevent phishing attacks by using a bookmark?

Tech Questions? Get Answers! - Ask Leo! ... by Leo Notenboom
Leo's Answers Newsletter - Ask Leo! in your inbox every week.

Comment from Gigi on 2009-05-12

2009-05-12T15:51:34Z

The described procedure has a major weak point: for security reasom most banks log you out from your account when you leave their site; so, when you connect again to a page in which you previously entered after login, you would (at best) get bumped to a generic (non secure) page or - usually - you get an error.
The safest way is to type the site's URL yourself, ideally in a Live-CD OS - no chance of infection so no chance of hyjacking. Otherwise bookmark the site before login.

]]>

A comment on: Can I prevent phishing attacks by using a bookmark?

Tech Questions? Get Answers! - Ask Leo! ... by Leo Notenboom
Leo's Answers Newsletter - Ask Leo! in your inbox every week.