Silk Road forums
Support => Feature requests => Topic started by: thewhiteguy on December 11, 2011, 02:02 pm
-
Phishing has become quite a problem as far as I understand it, and is getting increasingly worse. Correct me there if I am wrong.
However I think a simple way to combat this would be for SR to incorporate a very small image file that only the user knows and would be displayed upon log on. (Probably would be changed every so often to ensure security)
IF I understand phishing well enough (very little knowledge) this would allow for users to tell whether or not they are on SR or if they have gone through a invalid link. Please let me know what you all think, especially the techies.
I just think it would be very nice to have a confirmation that you are actually at the real SR and not going through some middle man.
-
This strategy is only effective when the username and password are entered on separate pages. Frankly phishing shouldn't be a problem. The new URL is easy to remember, and if you can't remember it you can save it. So long as people aren't getting the link out of wikis and such, they should be fine. I'm not saying nobody gets phished, but nobody should, and I suspect those that do would in any case.
-
New Silk Road URL should work fine ;)
-
two thoughts. first, the new url IS easier to remember, but the way i remember it it "silkroad very bad 5 phiser" and that just seems strange.
second, there is a thread here requesting a second password for withdrawal. I think that is the best idea, because then even if someone gets into your account, they couldn't do anything with your money. then if your account were compromised, you might be able to use that withdrawal password to reset your account pass.
-
I am in full support of the second password for withdrawing funds. As long as it cannot be the same password, it seems that it would be almost impossible to get your funds stolen from a phising site... unless you tried to withdraw money through a phishing site, that'd suck haha
-
I think this might actually be a good idea. You could have a small list of gif's that a buyer could select from in their account settings, maybe one of 50 or 100 different little pictures, and whenever you show up to the SR site that pic is beside the captcha. Coding isn't too crazy for it either.
But the secondary funding password is the key to the whole mess. If you have to have a password that is different from your SR Main password in order to move money around, this would literally end phishing entirely. You would still have the odd asshole who would change the account login and try to get free product shipped to him on the buyers behalf (this just happened to me last night and now someone thinks I hacked their account) or just troll around and leave negative feedback on everything or finalize everything early hoping the buyer they are doing this to gets product lost.
If we had these two things, phishing would be less than 10% as common as it is now. Maybe even stamped out entirely. The other option would be to do what most of the long-term digital currency sites have moved to - once you have logged in there is a message or phrase that you have written or selected that shows up. This confirms you are in fact on the right site. And then all you need is a PIN for moving money around, even a 6 digit numerical number would be better than the same password that gets the phishers on the site in the first place.
-
Bookmark.
-
You could have a small list of gif's that a buyer could select from in their account settings, maybe one of 50 or 100 different little pictures, and whenever you show up to the SR site that pic is beside the captcha.
There is the technical little problem that the captcha shows up before you've signed in, so the login page doesn't know what picture to show you.
I've visited the SR fishing sites to see what was up, and it was basically the same login page on a different addy. When you tried to sign in, it sent you to the real silk road page just as if you'd fucked up signing in. Try it a second time, and you're in the real SR - and the phisher has your password.
Never has one of the fishing sites actually pretended to be more than just the login screen.
None of these suggestions would counter the phishers current M.O.
-
two thoughts. first, the new url IS easier to remember, but the way i remember it it "silkroad very bad 5 phiser" and that just seems strange.
second, there is a thread here requesting a second password for withdrawal. I think that is the best idea, because then even if someone gets into your account, they couldn't do anything with your money. then if your account were compromised, you might be able to use that withdrawal password to reset your account pass.
That is a fantastic way to remember it! That actually makes some pretty decent sense. I agree with the 2 password things.
I sometimes end up using friend's computers so I don't always get to use my bookmarks.