3rd TIPPI Workshop

Yahoo's Sign-in Seal

Speaker: Naveen Agarwal, Arturo Bejar, and Scott Renfro, Yahoo! Inc.

Title: Yahoo's Sign-in Seal

We'll talk about the Yahoo's newly deployed solution to the problem of phishing: Sign-in Seal. We'll talk about the challenges we faced and how we arrived at this solution. We are all aware of the problem of phishing. There have been a number of studies that show that any solution that uses the browser chrome to warn the user about phishing is not very effective.

Yahoo users create a personalized sign-in seal by uploading a picture or by providing a custom text and a color. The seal is independent of the user id and is only tied to the computer. When a user visits the sign-in page, the seal is displayed prominently inside the login box.

This solution is based on these three Rusty's Axioms

  1. Anything a phisher can see, he can spoof. The seal is personalized to every user as it is their own picture or a text message. Only the user sees the seal when she/he visits the sign-in page. This makes the sign-in page unique for every user and not something a phisher can spoof.
  2. Anything a user knows can, he can reveal to the phisher. The display of the seal is based on the cookies that are set in the browser. The user can not easily give out the cookies to a phisher.
  3. Any phishing solution is only as good as itsĀ  irst step. The user is not required to enter any credentials (userid, password etc) to either setup or view the sign-in seal. If setting up or viewing a seal requires data that a user knows then a phisher may be able to spoof the setup page and phish users.

Back to TIPPI workshop page