Really Simple Anti-Phishing Idea

Spammers have recently started sending out fake invoices from iTunes, and it got me thinking: wouldn’t it be great if Apple included a secret word in their email notifications that I would immediately recognize? Once I thought about it a little more, I realized that the idea could easily extend to just about any service, and could also be used to eliminate false positives in spam filters.

This would be an effective anti-phishing technique. Let’s say your bank asks you to pick a safe word to be associated with your account. Once that’s selected, any email that they send to you will include that safeword in the email’s subject line as an easily identifiable sign of authenticity.

If you picked “Incontinent Panda” as your safe word, instead of
Subject: Bank of America: Important Notice On Your Account Information (Re-Confirm)

you would see

Subject: [Incontinent Panda] Bank of America: Important Notice On Your Account Information (Re-Confirm)

Since the odds of a phisher guessing this pass phrase is pretty low, you can tell at a glance that this is most likely the real deal. Since these emails go out to you, and you only, the odds of the safe word getting compromised is fairly low.



2 Responses to “Really Simple Anti-Phishing Idea”

  1. Gravatar of Jonathan Wight Jonathan Wight
    19. February 2009 at 10:07

    Reminds me of the image you can use with a yahoo account to help you recognise your log in.

    ING Bank also does the same thing. My image is (say) a (potentially incontinent) Panda, if the image isn’t on the login page I know something phishy is going on.

  2. Gravatar of John John
    19. February 2009 at 10:37

    Bank of America does has a “picture and phrase” association that you choose. When you log in to their site, you put in your username and location, then this picture shows up with a phrase. If they match, then you’re prompted to enter your password.

    It’s a great anti-phishing technique…but only works at the web login level.

    I like your idea quite a bit, actually.