Why do some sites have 2 screens to log in? I mean one screen to put in
your "name" and a second screen for the password? And sometimes screen 2
says "we recognize your name" in addition to asking for the password?

Seems to me it wastes time. For the user, that is.

One theory of mine is that if the site has advertising, it provides an
opportunity for more ads.

--
Guerri

--
You received this message because you are subscribed to the Google Groups "Dixonary" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dixonary+unsubscribe (AT) googlegroups (DOT) com.
For more options, visit https://groups.google.com/d/optout.

Guerri,

This “two-factor authentication,” if done correctly, provides a significant added amount of security.

It’s fairly easy for someone to send you an e-mail that claims to come from (for example) Santander Bank. It copies verbiage from genuine Santander Bank e-mails, copies real Santander graphics from their Web site, and provides a plausible reason why you should log into your Santander account.

Not everyone has a Santander account, of course, but if they send this message to 100,000 random people, several thousand of them will. Suppose you’re one of them.

They give you a link to click. The link says “click her to log in” or some such. It goes to, say, santanderbanking.com rather than santanderbank.com. Most people would not notice that. It has a copy of Santander’s real log-in page, but the information goes to the bad guys. Then they display “login failed, please try again” or a similar message and send you to the real Santander site where you log in without incident and do whatever the e-mail said to do. You think no more of it. When you check your balance or try to withdraw cash the next day, your money is all gone.

If two-factor authentication is done right, after the first screen, the bank will display a picture that you chose from a library of several dozen and a phrase that you gave them earlier before asking for your password. If you don’t see the kitten and the phrase “Tigers have stripes,” you know something’s fishy and don’t enter your password. Since the bad guys don’t have the real Santander database that says what your chosen picture and security phrase are, you won’t give them your password and your account won’t be cleaned out.

Not every site does this correctly, of course. Just asking for the same information in two steps adds a bit of hassle to the login process and makes it a bit harder for the bad guys to mimic, but mostly misses the point.

Efrem

=-=-=-=-=-=-=-=-=-=-=-=-=
> On Apr 3, 2016, at 7:32 AM, Guerri Stevens <guerri (AT) guerristevens (DOT) com> wrote:
>
> Why do some sites have 2 screens to log in? I mean one screen to put in your "name" and a second screen for the password? And sometimes screen 2 says "we recognize your name" in addition to asking for the password?
>
> Seems to me it wastes time. For the user, that is.
>
> One theory of mine is that if the site has advertising, it provides an opportunity for more ads.
>
> --
> Guerri
>
> --
> You received this message because you are subscribed to the Google Groups "Dixonary" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to dixonary+unsubscribe (AT) googlegroups (DOT) com.
> For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Dixonary" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dixonary+unsubscribe (AT) googlegroups (DOT) com.
For more options, visit https://groups.google.com/d/optout.

I can understand that, but the site that caused me to ask that question
doesn't add any security that I can detect. It still requires a log in
name and password, but slows down the whole process by splitting them up.

Now if they wanted better security, it seems to me they'd demand both
the name and the password together. By doing what they do, i.e. getting
the name and using a second screen for the password, with that second
screen acknowledging the validity of the name and asking for the
password, it seems to me they are lessening the security because now, a
hacker would know the name is good. Of course, the hacker would still
have to figure out the password.

Of course, the current procedure may simply be step 1 of an ongoing
process to beef up their security.

Guerri
On 4/3/2016 8:59 AM, Efrem Mallach wrote:
> Guerri,
>
> This “two-factor authentication,” if done correctly, provides a significant added amount of security.
>
> It’s fairly easy for someone to send you an e-mail that claims to come from (for example) Santander Bank. It copies verbiage from genuine Santander Bank e-mails, copies real Santander graphics from their Web site, and provides a plausible reason why you should log into your Santander account.
>
> Not everyone has a Santander account, of course, but if they send this message to 100,000 random people, several thousand of them will. Suppose you’re one of them.
>
> They give you a link to click. The link says “click her to log in” or some such. It goes to, say, santanderbanking.com rather than santanderbank.com. Most people would not notice that. It has a copy of Santander’s real log-in page, but the information goes to the bad guys. Then they display “login failed, please try again” or a similar message and send you to the real Santander site where you log in without incident and do whatever the e-mail said to do. You think no more of it. When you check your balance or try to withdraw cash the next day, your money is all gone.
>
> If two-factor authentication is done right, after the first screen, the bank will display a picture that you chose from a library of several dozen and a phrase that you gave them earlier before asking for your password. If you don’t see the kitten and the phrase “Tigers have stripes,” you know something’s fishy and don’t enter your password. Since the bad guys don’t have the real Santander database that says what your chosen picture and security phrase are, you won’t give them your password and your account won’t be cleaned out.
>
> Not every site does this correctly, of course. Just asking for the same information in two steps adds a bit of hassle to the login process and makes it a bit harder for the bad guys to mimic, but mostly misses the point.
>
> Efrem
>
> =-=-=-=-=-=-=-=-=-=-=-=-=
>> On Apr 3, 2016, at 7:32 AM, Guerri Stevens <guerri (AT) guerristevens (DOT) com> wrote:
>>
>> Why do some sites have 2 screens to log in? I mean one screen to put in your "name" and a second screen for the password? And sometimes screen 2 says "we recognize your name" in addition to asking for the password?
>>
>> Seems to me it wastes time. For the user, that is.
>>
>> One theory of mine is that if the site has advertising, it provides an opportunity for more ads.
>>
>> --
>> Guerri
>>
>> --
>> You received this message because you are subscribed to the Google Groups "Dixonary" group.
>> To unsubscribe from this group and stop receiving emails from it, send an email to dixonary+unsubscribe (AT) googlegroups (DOT) com.
>> For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Dixonary" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dixonary+unsubscribe (AT) googlegroups (DOT) com.
For more options, visit https://groups.google.com/d/optout.

On 4/5/16 3:47 AM, Guerri Stevens wrote:
> I can understand that, but the site that caused me to ask that
> question doesn't add any security that I can detect. It still requires
> a log in name and password, but slows down the whole process by
> splitting them up.
I've recently joined a MeetUp group called "Ethical Hackers". The idea
is to learn hacking techniques, and to use them for good.

Last week's exercise was to clone a website. With zero experience and
only a piece of paper with instructions to guide me, within a few
keystrokes I had cloned a copy of the login page for www.facebook.com
(which has both email and password on the same screen). With a few more
keystrokes I'd published my fake page (that looked exactly like
Faceboook) on my own web server. And with a $100 piece of equipment
called a "pineapple" with a wireless SSID set to "attwifi" (formerly the
default free wifi network at Starbucks) I was able to intercept
legitimate DNS requests for "facebook.com" and direct them to my
server. People entered their userid and password, which I logged to a
file, and then dumped them out on the "real page" where they probably
assumed they'd mistyped their credentials and tried again, successfully.

If I were to set myself up in a coffee shop or airport terminal with a
similar setup, I'd be able to collect hundreds/thousands of logins. And
since many people use the same login on many sites, suddenly that user's
facebook login becomes their email login. And does anything happen
immediately? No. People monitor the email for months until that
password reset from their bank comes through, and now you have a banking
login...

The simple step of putting UserID on one screen and password on the next
completely foils this trivial attack. The effort required to clone a
multi-layered login isn't worth it for most hackers.

--
You received this message because you are subscribed to the Google Groups "Dixonary" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dixonary+unsubscribe (AT) googlegroups (DOT) com.
For more options, visit https://groups.google.com/d/optout.

Daniel, That sounds scarily simple.

> People monitor the email for months until that password reset from their
bank comes through, and now you have a banking login...

Do you mean you (ie the hacker) find out my email address from fb, then if
I've used the same password you can watch my email. Why would my bank send
me a password and account login by email? Orhave I missed a step?

My facebook account is registered with a different email address which is
auto-forwarded to my normal one. Would that help?

I guess you could do the same thing with a fake gmail page and other common
sites. All too easy.

Jim



On Wednesday, 6 April 2016 15:39:18 UTC+10, Daniel Widdis wrote:
>
> On 4/5/16 3:47 AM, Guerri Stevens wrote:
> > I can understand that, but the site that caused me to ask that
> > question doesn't add any security that I can detect. It still requires
> > a log in name and password, but slows down the whole process by
> > splitting them up.
> I've recently joined a MeetUp group called "Ethical Hackers". The idea
> is to learn hacking techniques, and to use them for good.
>
> Last week's exercise was to clone a website. With zero experience and
> only a piece of paper with instructions to guide me, within a few
> keystrokes I had cloned a copy of the login page for www.facebook.com
> (which has both email and password on the same screen). With a few more
> keystrokes I'd published my fake page (that looked exactly like
> Faceboook) on my own web server. And with a $100 piece of equipment
> called a "pineapple" with a wireless SSID set to "attwifi" (formerly the
> default free wifi network at Starbucks) I was able to intercept
> legitimate DNS requests for "facebook.com" and direct them to my
> server. People entered their userid and password, which I logged to a
> file, and then dumped them out on the "real page" where they probably
> assumed they'd mistyped their credentials and tried again, successfully.
>
> If I were to set myself up in a coffee shop or airport terminal with a
> similar setup, I'd be able to collect hundreds/thousands of logins. And
> since many people use the same login on many sites, suddenly that user's
> facebook login becomes their email login. And does anything happen
> immediately? No. People monitor the email for months until that
> password reset from their bank comes through, and now you have a banking
> login...
>
> The simple step of putting UserID on one screen and password on the next
> completely foils this trivial attack. The effort required to clone a
> multi-layered login isn't worth it for most hackers.
>

--
You received this message because you are subscribed to the Google Groups "Dixonary" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dixonary+unsubscribe (AT) googlegroups (DOT) com.
For more options, visit https://groups.google.com/d/optout.

There are a variety of ways of trying to get your information, but yes,
using the same userid/email/password combination is simply asking for
trouble.

It may not be your bank that sends you a password in email, but many
websites have a "forgot my password" link that send you your password in
email. And if you use the same/similar password often enough, it's a
matter of time until someone's got it.

Or other acknowledgements like that purchase you made showing your
credit card number, expiration date, and special code.

Some people will set up a legitimate site for something of interest to
you, get you to create an account with them, and grab your information
that way. (Job hunting websites you've never heard of before are an
example.)

The bottom line for this email thread is that separating userid and
login (creating a two-step login) is a relatively trivial step a website
can make that can greatly improve your own security, and you should
thank the websites that do so (Yay my bank. Yay Twitter. Boo Facebook.)

The bottom line for your own security is that you should stop using the
same password everywhere (unless you have a throwaway one you use when
you don't care) and use an app/program to generate strong passwords for
your important (banking, identity) stuff. Personally I swear by the
"1Password" app, but there are other options.

Also you should delete any SSIDs from your wifi enabled phone/computer
for anything but sites you know (home/work). The "attwifi" or "free
wifi" or other common connections are as likely to be a hacker as a
legitimate hotspot.

It's scary how trivially easy this is. My 14 year old can do it.

On 4/5/16 11:37 PM, Jim Hart wrote:
> Daniel, That sounds scarily simple.
>
> > People monitor the email for months until that password reset from
> their bank comes through, and now you have a banking login...
>
> Do you mean you (ie the hacker) find out my email address from fb,
> then if I've used the same password you can watch my email. Why would
> my bank send me a password and account login by email? Orhave I missed
> a step?
>
> My facebook account is registered with a different email address which
> is auto-forwarded to my normal one. Would that help?
>
> I guess you could do the same thing with a fake gmail page and other
> common sites. All too easy.
>
> Jim
>
>
>
> On Wednesday, 6 April 2016 15:39:18 UTC+10, Daniel Widdis wrote:
>
> On 4/5/16 3:47 AM, Guerri Stevens wrote:
> > I can understand that, but the site that caused me to ask that
> > question doesn't add any security that I can detect. It still
> requires
> > a log in name and password, but slows down the whole process by
> > splitting them up.
> I've recently joined a MeetUp group called "Ethical Hackers". The
> idea
> is to learn hacking techniques, and to use them for good.
>
> Last week's exercise was to clone a website. With zero experience
> and
> only a piece of paper with instructions to guide me, within a few
> keystrokes I had cloned a copy of the login page for
> www.facebook.com <http://www.facebook.com>
> (which has both email and password on the same screen). With a
> few more
> keystrokes I'd published my fake page (that looked exactly like
> Faceboook) on my own web server. And with a $100 piece of equipment
> called a "pineapple" with a wireless SSID set to "attwifi"
> (formerly the
> default free wifi network at Starbucks) I was able to intercept
> legitimate DNS requests for "facebook.com <http://facebook.com>"
> and direct them to my
> server. People entered their userid and password, which I logged
> to a
> file, and then dumped them out on the "real page" where they probably
> assumed they'd mistyped their credentials and tried again,
> successfully.
>
> If I were to set myself up in a coffee shop or airport terminal
> with a
> similar setup, I'd be able to collect hundreds/thousands of
> logins. And
> since many people use the same login on many sites, suddenly that
> user's
> facebook login becomes their email login. And does anything happen
> immediately? No. People monitor the email for months until that
> password reset from their bank comes through, and now you have a
> banking
> login...
>
> The simple step of putting UserID on one screen and password on
> the next
> completely foils this trivial attack. The effort required to
> clone a
> multi-layered login isn't worth it for most hackers.
>
> --
> You received this message because you are subscribed to the Google
> Groups "Dixonary" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to dixonary+unsubscribe (AT) googlegroups (DOT) com
> <mailto:dixonary+unsubscribe (AT) googlegroups (DOT) com>.
> For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Dixonary" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dixonary+unsubscribe (AT) googlegroups (DOT) com.
For more options, visit https://groups.google.com/d/optout.

Very interesting!

Guerri
On 4/6/2016 1:39 AM, Daniel Widdis wrote:
> On 4/5/16 3:47 AM, Guerri Stevens wrote:
>> I can understand that, but the site that caused me to ask that
>> question doesn't add any security that I can detect. It still
>> requires a log in name and password, but slows down the whole process
>> by splitting them up.
> I've recently joined a MeetUp group called "Ethical Hackers". The
> idea is to learn hacking techniques, and to use them for good.
>
> Last week's exercise was to clone a website. With zero experience and
> only a piece of paper with instructions to guide me, within a few
> keystrokes I had cloned a copy of the login page for www.facebook.com
> (which has both email and password on the same screen). With a few
> more keystrokes I'd published my fake page (that looked exactly like
> Faceboook) on my own web server. And with a $100 piece of equipment
> called a "pineapple" with a wireless SSID set to "attwifi" (formerly
> the default free wifi network at Starbucks) I was able to intercept
> legitimate DNS requests for "facebook.com" and direct them to my
> server. People entered their userid and password, which I logged to
> a file, and then dumped them out on the "real page" where they
> probably assumed they'd mistyped their credentials and tried again,
> successfully.
>
> If I were to set myself up in a coffee shop or airport terminal with a
> similar setup, I'd be able to collect hundreds/thousands of logins.
> And since many people use the same login on many sites, suddenly that
> user's facebook login becomes their email login. And does anything
> happen immediately? No. People monitor the email for months until
> that password reset from their bank comes through, and now you have a
> banking login...
>
> The simple step of putting UserID on one screen and password on the
> next completely foils this trivial attack. The effort required to
> clone a multi-layered login isn't worth it for most hackers.
>

--
You received this message because you are subscribed to the Google Groups "Dixonary" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dixonary+unsubscribe (AT) googlegroups (DOT) com.
For more options, visit https://groups.google.com/d/optout.

The Wi-Fi Pineapple is a really insidious device in the wrong hands. A mischief-maker doesn’t even need to set up a fake web site to take advantage of it.

Suppose your laptop is set to detect your home network automatically, as most do. When you start it up, it sends a signal to see if that network is in range. Say you’re in a coffee shop across town. A device such as the Wi-Fi Pineapple in the same coffee shop, operated by someone who looks like any other customer, can respond “Yes, I’m your home network.” From then on your communications go through that device. You won’t notice anything wrong, but its user will be able to collect your account numbers, passwords and more.

To avoid being victimized by this trick: when your computer connects to a network automatically, check the network to which it has connected before using the connection. If your computer thinks it’s on your home network when you’re miles away, disconnect right away! Alternatively, don’t do anything in coffee shops or other public places that involves IDs and passwords. The bad guys can intercept your perusal of cnn.com or weather.com, but that won’t expose you to any risk.

Efrem

=-=-=-=-=-=-=-=-=-=-=-=-=
On Apr 6, 2016, at 1:39 AM, Daniel Widdis <widdis (AT) dixonary (DOT) net> wrote:
>
> On 4/5/16 3:47 AM, Guerri Stevens wrote:
>> I can understand that, but the site that caused me to ask that question doesn't add any security that I can detect. It still requires a log in name and password, but slows down the whole process by splitting them up.
> I've recently joined a MeetUp group called "Ethical Hackers". The idea is to learn hacking techniques, and to use them for good.
>
> Last week's exercise was to clone a website. With zero experience and only a piece of paper with instructions to guide me, within a few keystrokes I had cloned a copy of the login page for www.facebook.com (which has both email and password on the same screen). With a few more keystrokes I'd published my fake page (that looked exactly like Faceboook) on my own web server. And with a $100 piece of equipment called a "pineapple" with a wireless SSID set to "attwifi" (formerly the default free wifi network at Starbucks) I was able to intercept legitimate DNS requests for "facebook.com" and direct them to my server. People entered their userid and password, which I logged to a file, and then dumped them out on the "real page" where they probably assumed they'd mistyped their credentials and tried again, successfully.
>
> If I were to set myself up in a coffee shop or airport terminal with a similar setup, I'd be able to collect hundreds/thousands of logins. And since many people use the same login on many sites, suddenly that user's facebook login becomes their email login. And does anything happen immediately? No. People monitor the email for months until that password reset from their bank comes through, and now you have a banking login...
>
> The simple step of putting UserID on one screen and password on the next completely foils this trivial attack. The effort required to clone a multi-layered login isn't worth it for most hackers.
>
> --
> You received this message because you are subscribed to the Google Groups "Dixonary" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to dixonary+unsubscribe (AT) googlegroups (DOT) com.
> For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Dixonary" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dixonary+unsubscribe (AT) googlegroups (DOT) com.
For more options, visit https://groups.google.com/d/optout.

I rarely use my own computer when away from home. If I want to keep up
with Dixonary (and really, what else would I need to do???), I use the
hotel's computer, if staying in a hotel, and I don't log in to my own
account. I think I use mail2web, which may not be a good idea, now that
I think about it.
Guerri
On 4/6/2016 7:40 AM, Efrem Mallach wrote:
> The Wi-Fi Pineapple is a really insidious device in the wrong hands. A
> mischief-maker doesn’t even need to set up a fake web site to take
> advantage of it.
>
> Suppose your laptop is set to detect your home network automatically,
> as most do. When you start it up, it sends a signal to see if that
> network is in range. Say you’re in a coffee shop across town. A device
> such as the Wi-Fi Pineapple in the same coffee shop, operated by
> someone who looks like any other customer, can respond “Yes, I’m your
> home network.” From then on your communications go through that
> device. You won’t notice anything wrong, but its user will be able to
> collect your account numbers, passwords and more.
>
> To avoid being victimized by this trick: when your computer connects
> to a network automatically, check the network to which it has
> connected before using the connection. If your computer thinks it’s on
> your home network when you’re miles away, disconnect right away!
> Alternatively, don’t do anything in coffee shops or other public
> places that involves IDs and passwords. The bad guys can intercept
> your perusal of cnn.com <http://cnn.com> or weather.com
> <http://weather.com>, but that won’t expose you to any risk.
>
> Efrem
>
> =-=-=-=-=-=-=-=-=-=-=-=-=
> On Apr 6, 2016, at 1:39 AM, Daniel Widdis <widdis (AT) dixonary (DOT) net
> <mailto:widdis (AT) dixonary (DOT) net>> wrote:
>>
>> On 4/5/16 3:47 AM, Guerri Stevens wrote:
>>> I can understand that, but the site that caused me to ask that
>>> question doesn't add any security that I can detect. It still
>>> requires a log in name and password, but slows down the whole
>>> process by splitting them up.
>> I've recently joined a MeetUp group called "Ethical Hackers". The
>> idea is to learn hacking techniques, and to use them for good.
>>
>> Last week's exercise was to clone a website. With zero experience
>> and only a piece of paper with instructions to guide me, within a few
>> keystrokes I had cloned a copy of the login page for www.facebook.com
>> <http://www.facebook.com> (which has both email and password on the
>> same screen). With a few more keystrokes I'd published my fake page
>> (that looked exactly like Faceboook) on my own web server. And with
>> a $100 piece of equipment called a "pineapple" with a wireless SSID
>> set to "attwifi" (formerly the default free wifi network at
>> Starbucks) I was able to intercept legitimate DNS requests for
>> "facebook.com <http://facebook.com>" and direct them to my server.
>> People entered their userid and password, which I logged to a file,
>> and then dumped them out on the "real page" where they probably
>> assumed they'd mistyped their credentials and tried again, successfully.
>>
>> If I were to set myself up in a coffee shop or airport terminal with
>> a similar setup, I'd be able to collect hundreds/thousands of logins.
>> And since many people use the same login on many sites, suddenly
>> that user's facebook login becomes their email login. And does
>> anything happen immediately? No. People monitor the email for
>> months until that password reset from their bank comes through, and
>> now you have a banking login...
>>
>> The simple step of putting UserID on one screen and password on the
>> next completely foils this trivial attack. The effort required to
>> clone a multi-layered login isn't worth it for most hackers.
>>
>> --
>> You received this message because you are subscribed to the Google
>> Groups "Dixonary" group.
>> To unsubscribe from this group and stop receiving emails from it,
>> send an email to dixonary+unsubscribe (AT) googlegroups (DOT) com
>> <mailto:dixonary+unsubscribe (AT) googlegroups (DOT) com>.
>> For more options, visit https://groups.google.com/d/optout.
>
> No virus found in this message.
> Checked by AVG - www.avg.com <http://www.avg.com>
> Version: 2016.0.7497 / Virus Database: 4545/11953 - Release Date: 04/03/16
>
> --
> You received this message because you are subscribed to the Google
> Groups "Dixonary" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to dixonary+unsubscribe (AT) googlegroups (DOT) com
> <mailto:dixonary+unsubscribe (AT) googlegroups (DOT) com>.
> For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Dixonary" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dixonary+unsubscribe (AT) googlegroups (DOT) com.
For more options, visit https://groups.google.com/d/optout.

The good news: This is one scam you can probably safely ignore.

The bad news: There are a lot more out there ...

Efrem

=-=-=-=-=-=-=-=-=-=-=-=-=
> On Apr 6, 2016, at 8:16 AM, Guerri Stevens <guerri (AT) guerristevens (DOT) com> wrote:
>
> I rarely use my own computer when away from home. If I want to keep up with Dixonary (and really, what else would I need to do???), I use the hotel's computer, if staying in a hotel, and I don't log in to my own account. I think I use mail2web, which may not be a good idea, now that I think about it.
> Guerri
> On 4/6/2016 7:40 AM, Efrem Mallach wrote:
>> The Wi-Fi Pineapple is a really insidious device in the wrong hands. A mischief-maker doesn’t even need to set up a fake web site to take advantage of it.
>>
>> Suppose your laptop is set to detect your home network automatically, as most do. When you start it up, it sends a signal to see if that network is in range. Say you’re in a coffee shop across town. A device such as the Wi-Fi Pineapple in the same coffee shop, operated by someone who looks like any other customer, can respond “Yes, I’m your home network.” From then on your communications go through that device. You won’t notice anything wrong, but its user will be able to collect your account numbers, passwords and more.
>>
>> To avoid being victimized by this trick: when your computer connects to a network automatically, check the network to which it has connected before using the connection. If your computer thinks it’s on your home network when you’re miles away, disconnect right away! Alternatively, don’t do anything in coffee shops or other public places that involves IDs and passwords. The bad guys can intercept your perusal of cnn.com <http://cnn.com> or weather.com <http://weather.com>, but that won’t expose you to any risk.
>>
>> Efrem
>>
>> =-=-=-=-=-=-=-=-=-=-=-=-=
>> On Apr 6, 2016, at 1:39 AM, Daniel Widdis <widdis (AT) dixonary (DOT) net <mailto:widdis (AT) dixonary (DOT) net>> wrote:
>>>
>>> On 4/5/16 3:47 AM, Guerri Stevens wrote:
>>>> I can understand that, but the site that caused me to ask that question doesn't add any security that I can detect. It still requires a log in name and password, but slows down the whole process by splitting them up.
>>> I've recently joined a MeetUp group called "Ethical Hackers". The idea is to learn hacking techniques, and to use them for good.
>>>
>>> Last week's exercise was to clone a website. With zero experience and only a piece of paper with instructions to guide me, within a few keystrokes I had cloned a copy of the login page for www.facebook.com <http://www.facebook.com> (which has both email and password on the same screen). With a few more keystrokes I'd published my fake page (that looked exactly like Faceboook) on my own web server. And with a $100 piece of equipment called a "pineapple" with a wireless SSID set to "attwifi" (formerly the default free wifi network at Starbucks) I was able to intercept legitimate DNS requests for "facebook.com <http://facebook.com>" and direct them to my server. People entered their userid and password, which I logged to a file, and then dumped them out on the "real page" where they probably assumed they'd mistyped their credentials and tried again, successfully.
>>>
>>> If I were to set myself up in a coffee shop or airport terminal with a similar setup, I'd be able to collect hundreds/thousands of logins. And since many people use the same login on many sites, suddenly that user's facebook login becomes their email login. And does anything happen immediately? No. People monitor the email for months until that password reset from their bank comes through, and now you have a banking login...
>>>
>>> The simple step of putting UserID on one screen and password on the next completely foils this trivial attack. The effort required to clone a multi-layered login isn't worth it for most hackers.
>>>
>>> --
>>> You received this message because you are subscribed to the Google Groups "Dixonary" group.
>>> To unsubscribe from this group and stop receiving emails from it, send an email to dixonary+unsubscribe (AT) googlegroups (DOT) com <mailto:dixonary+unsubscribe (AT) googlegroups (DOT) com>.
>>> For more options, visit https://groups.google.com/d/optout.
>>
>> No virus found in this message.
>> Checked by AVG - www.avg.com <http://www.avg.com>
>> Version: 2016.0.7497 / Virus Database: 4545/11953 - Release Date: 04/03/16
>>
>> --
>> You received this message because you are subscribed to the Google Groups "Dixonary" group.
>> To unsubscribe from this group and stop receiving emails from it, send an email to dixonary+unsubscribe (AT) googlegroups (DOT) com <mailto:dixonary+unsubscribe (AT) googlegroups (DOT) com>.
>> For more options, visit https://groups.google.com/d/optout.
>
> --
> You received this message because you are subscribed to the Google Groups "Dixonary" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to dixonary+unsubscribe (AT) googlegroups (DOT) com.
> For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Dixonary" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dixonary+unsubscribe (AT) googlegroups (DOT) com.
For more options, visit https://groups.google.com/d/optout.