Color can prevent your users from getting phished (opens in new tab)

(hackernoon.com)

11 pointsemeltzz7y ago7 comments

7 comments

So, this system, if it ever got wide use, would rely on users remembering which "unique" colors were randomly assigned to them by whichever sites they use.

I was thinking, "Gee, if a scanner put a random color bar at the top of the phishing emails, how often would the color look close enough that the user couldn't distinguish between it and their own color, at least without comparing the colors side-by-side?", but I'm not convinced users would even remember their colors after the second or third one.

(And if course, this is very flawed for the color-blind and utterly useless for anyone using screen-readers.)

emeltzzOP7y ago

I think this is a good start--some easy modifications could turn it into a 3-color banner similar to the french or mexican flags, which would be both easier to remember and less likely for a scammer to guess correctly. Or you could do randomly generated animals! i.e. "if you don't see a pink bear, you're being phished"

frosted-flakes7y ago

The power company where I used to live did something like this for it's online dashboard, but with images (I think it was Delmarva Power). Every time you entered your username to log in, it would show you a simple image/line-drawing and a message saying that if the image ever changes, you're being scammed, so don't enter your password. I've never seen anything like it since.

As far as colours on emails goes, if everyone starts doing it, nobody will remember which colour goes with which company. It needs to be something more distinctive than just a colour band.

numtel7y ago

My credit union had that for years but you had the option to choose from a set of available images.

They replaced it last year with mandatory SMS 2FA. I immediately sent them a message about how insecure it is but never received a response. What a terrible regression.

retrobox7y ago

This seems great in theory but I can’t help but think the phishing scam would evolve in to “your account has been hacked and your secret color discovered. Click here to login and set a new secret color.”

Also, let’s suppose a database of users and their associated color is compromised but that the intrusion is not immediately detected. This allows scammers to craft emails with the right color of banner leading to “but the email has the right color at the top so it can’t be a phishing scam” logic.

It may just shift the problem.

cloud_thrasher7y ago

This is a long-standing issue and many solutions have been devised. Regardless of most solutions, it will probably always fail because people don't want to be bothered with remembering colors, images, configuring PGP, etc. Case in point, ask anyone how much they are annoyed by reCAPTCHA.

wodenokoto7y ago

Yahoo had something similar, although all I remember was them bugging me to choose a color for security, and me trying to ignore it because I didn't care.

I wanna say it was something about colouring the login box, but I can't make that make sense.

j / k navigate · click thread line to collapse