3rd TIPPI Workshop
Yahoo's Sign-in Seal
Speaker:
Naveen Agarwal, Arturo Bejar, and Scott Renfro, Yahoo! Inc.
Title:
Yahoo's Sign-in Seal
Abstract:
We'll talk about the Yahoo's newly deployed solution to the problem
of phishing: Sign-in Seal. We'll talk about the challenges we faced
and how we arrived at this solution.
We are all aware of the problem of phishing. There have been a number
of studies that show that any solution that uses the browser
chrome to warn the user about phishing is not very effective.
Yahoo users create a personalized sign-in seal by uploading a picture
or by providing a custom text and a color. The seal is independent
of the user id and is only tied to the computer. When a user visits
the sign-in page, the seal is displayed prominently inside the login
box.
This solution is based on these three Rusty's Axioms
- Anything a phisher can see, he can spoof.
The seal is personalized to every user as it is their own picture or
a text message. Only the user sees the seal when she/he visits the
sign-in page. This makes the sign-in page unique for every user and
not something a phisher can spoof.
- Anything a user knows can, he can reveal to the phisher.
The display of the seal is based on the cookies that are set in the
browser. The user can not easily give out the cookies to a phisher.
- Any phishing solution is only as good as itsĀ irst step.
The user is not required to enter any credentials (userid, password
etc) to either setup or view the sign-in seal. If setting up or
viewing a seal requires data that a user knows then a phisher may be
able to spoof the setup page and phish users.
Back to TIPPI workshop page