您如何确保用户知道他们在您的网站上?
今天互联网小镇上的热门话题是,谷歌搜索引导数十名 Facebook 用户在 ReadWriteWeb 上找到了一篇有关 Facebook 与 AOL 交易的文章。 评论区中发生的事情迅速成为互联网传奇。
然而,热闹背后是一个可怕的事实,这可能是用户浏览所有网站的方式,包括他们的银行网站和其他更重要的网站。快速搜索“我的银行网站登录”并快速单击第一个结果。一旦到达那里,用户就愿意提交他们的凭据,即使该网站看起来与他们尝试访问的网站完全不同。 (用户的评论通过 facebook-connect 连接到他们的 Facebook 帐户这一事实证明了这一点)
防止这种情况几乎是我们无法控制的,并且对我们的用户进行互联网浏览基础知识的教育也同样是不可能的。那么,我们如何确保用户在尝试登录之前知道他们位于正确的网站上呢? 美国银行的 SiteKey 之类的东西足够吗?或者是另一个警察- 将责任转移回用户身上?
The talk of internet town today is the SNAFU that led to dozens of Facebook users being led by Google search to an article on ReadWriteWeb about the Facebook-AOL deal. What ensued in the comments tread is quickly becoming the stuff of internet legend.
However, behind the hilarity is a scary fact that this might be how users browse to all sites, including their banking and other more important sites. A quick search for "my bank website login" and quickly click the first result. Once they are there, the user is willing to submit their credentials even though the site looks nothing like the site they tried to reach. (This is evidenced by the fact that user's comments are connected to their facebook accounts via facebook-connect)
Preventing this scenario is pretty much out of our control and educating our users on the basics of internet browsing may be just as impossible. So how then can we ensure that users know they are on the correct web site before trying to log in? Is something like Bank of America's SiteKey sufficient, or is that another cop-out that shifts responsibility back on the user?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(5)
互联网和网络浏览器曾经有一些很酷的功能,实际上可能有一些适用性。
其中之一就是所谓的“域名”。您无需在工具栏的右侧输入网站名称,而是在左侧有另一个更大的文本字段,您可以在其中输入网站名称。这个神秘的“地址”字段不是搜索在庞大的 Magic 8-Balls 农场上运行的专有 Google 数据库,而是查阅了权威的“域名”注册表,并且每次都会引导您到达正确的站点。遗憾的是,有时需要您输入最多 8 个额外字符!这个负担对于大多数用户来说太过沉重,因此这个繁琐的功能已经被放弃了。
您过去在浏览器中看到的另一件事是所谓的“书签”。词源学家仍在试图确定“书签”一词的起源。他们怀疑这与上面有有趣的曲线的纸有关。不管怎样,这些书签允许用户创建一个按钮,将他们直接带到感兴趣的网站。当然,创建书签是一个乏味且令人生畏的过程,有时需要单击两次菜单,或者更糟糕的是,需要使用 Ctrl 键!
啊,古人的奇迹。
The Internet and web browsers used to have a couple of cool features that might actually have some applicability there.
One was something called "domain names." Instead entering the website name over on the right site of your toolbar, there was another, larger text field on the left where you could enter it. Rather than searching a proprietary Google database running on vast farms of Magic 8-Balls, this arcane "address" field consulted an authoritative registry of "domain names", and would lead you to the right site every time. Sadly, it sometimes required you to enter up to 8 extra characters! This burden was too much for most users to shoulder, and this cumbersome feature has been abandoned.
Another thing you used to see in browsers was something called a "bookmark." Etymologists are still trying to determine where the term "bookmark" originated. They suspect it has something to do with paper with funny squiggles on it. Anyway, these bookmarks allowed users to create a button that would take them directly to the web site of interest. Of course, creating a bookmark was a tedious, intimidating process, sometimes requiring as many as two menu clicks—or worse yet, use of the Ctrl-key!
Ah, the wonders of the ancients.
该网站可以通过显示一些个人信息来“个性化”自己,
每个页面都易于用户识别。
有很多方法可以实现它。最明显的一个:
首次访问时,该网站要求用户上传一些头像,
并将用户的 ID 添加到 cookie 中。此后,用户每次浏览
该网站,显示头像。
The site could "personalize" itself by showing some personal information,
easy recognizable by the user, on every page.
There are plenty of ways to implement it. The obvious one:
under first visit, the site requires user to upload some avatar,
and adds user's id to the cookies. After that, every time the user browses
the site, the avatar is shown.
当我设置网上银行帐户时,它要求我从一系列图像中进行选择。现在,每次登录时都会显示我选择的图像。这让我确信我访问的是正确的网站。
编辑:我刚刚阅读了有关 BoA SiteKey 的链接,这显然是同一件事(从名字上听起来像一个挑战响应加密狗)
我想最好的答案是一个硬件设备,需要来自银行和银行的代码用户并经过身份验证。但所有这些事情都假设人们实际上正在思考这个问题,但他们当然没有。这件事发生在网上银行普及之前——我有一个朋友,她的钱包在 90 年代被偷了,小偷假装是她的银行给她打电话,说服她透露自己的 PIN 码……
When I set up my online bank account, it asked me to choose from a selection of images. The image I chose is now shown to me every time I login. This assures me that I am on the right website.
EDIT: i just read the link about the BoA SiteKey, this is apparently the same thing (it sounded from the name like a challenge-response dongle)
I suppose the best answer would be a hardware device which required a code from the bank and the user and authenticated both. But any of these things assume that people are actually thinking about the problem, which of course they don't. This was going on before internet banking was common - I had a friend who had her wallet stolen back in the 90s, and theif phoned her pretending to be her bank and persuaded her to reveal her PIN...
当用户第一次访问该网站并登录时,他可以分享一些冒名顶替网站不可能知道的个人信息(甚至是一些非常琐碎的信息)——高中吉祥物、居住的第一条街等。
如果有任何网站问题真实性,网站可以将此信息分享回给用户。
就像电视节目/电影中的邪恶双胞胎一样。好双胞胎总是通过分享一个只有试图弄清楚谁是好双胞胎的人才知道的秘密来赢得信任。
When the user first visits the site and logs in, he can share some personal information (even something very trivial) that imposter sites couldn't possible know - high school mascot, first street lived on, etc.
If there's ever any question of site authenticity, the site could share this information back to the user.
Like on TV shows/movies with the evil twin. The good twin always wins trust by sharing a secret that only the person who's trying to figure out who the good twin is would know.
您本身无法阻止网络钓鱼,但您可以采取几个步骤,每个步骤都可以稍微缓解问题。
1) 如果您有站点密钥或登录印章之类的内容,请确保这些内容不会被 iframe 到恶意网站上。仅仅 javascript Framebusting 可能还不够,因为 IE 具有 security="restricted"。
2) 对于请求用户凭据的方式保持一致 - 通过 SSL 提供登录表单(而不仅仅是通过 SSL 回发)。不要要求在多个地方或网站上登录。鼓励想要使用您网站上存储的用户数据的第三方使用 OAuth(而不是获取您的用户密码)。
3) 您绝对不应该通过电子邮件(带或不带链接)索取信息。
4) 有一个安全页面来讨论这些问题。
5) 发送有关注册电话、电子邮件等更改的通知。
除上述之外,监视用户帐户活动 - 例如联系信息、安全问答、访问权限等的更改(注意时间、ip,还有一些微妙的技术) )。
You cannot prevent phishing per-se but you can take several steps each of which do a little bit to mitigate the problem.
1) If you have something like site-key or a sign-in seal, please ensure that these cannot be iframed on a malicious website. Just javascript framebusting may not be enough as IE has security="restricted".
2) Be very consistent about how you ask for user credentials - serve the login form over SSL (not just post-back over SSL). Do not ask for login on several places or sites. Encourage third parties who want to work with user data stored on your site to use OAuth (instead of taking your user's password).
3) You should never ask for information via email (with or without link).
4) Have a security page where you talk about these issues.
5) Send notification on changes to registered phone, email, etc.
Apart from above, monitor user account activity - such as changes to contact information, security Q&A, access, etc (noting time, ip, and there are several subtle techniques).