Yahoo!'s Newest Feature to Prevent Password Theft

[Nessa]

Anyone else notice the new Prevent Password Theft feature? This basically works like most bank sites have implemented lately. You put your image or text of choice and everytime you want to login to Yahoo! on your computer that image should appear, if not, then it's not a real Yahoo! login site, so don't sign in!

This is a really nifty feature because there is a lot of people who get their id's taken when they log into phishing sites, especially the Yahoo! Geocities one's. So this should really help minimize the number of people who fall into these little traps.

Taken from the Yahoo! Site:

Quote:

What is phishing?
Phishing - a play on the word "fishing" - is an attempt to steal your password and private account info. Phishers can set up fake web sites that look like those of trusted companies like Yahoo! to trick you into disclosing your user name and password. To learn more about phishing, visit the Yahoo! Security Center.

How does a sign-in seal protect me?
A sign-in seal is a secret between the computer you set it up on and Yahoo!. So when you sign in to Yahoo! from this computer, your sign-in seal tells you that you're seeing a genuine Yahoo! site, not a phishing site.

Why do I have to set up a seal on each computer I use?
Your sign-in seal is associated with your computer, not your ID. It is a convenient way to instantly recognize a genuine Yahoo! sign-in page and be sure that you're not on a page created by fraudsters attempting to steal your Yahoo! ID and password. Because we associate your sign-in seal with your computer, after you create a seal, there are no additional steps to signing in. Even if a phisher knows or guesses your ID or other personal information, they cannot use it to discover your sign-in seal. Note: Yahoo! will never ask for your Yahoo! ID or password in order to set up or display your sign-in seal.

What if I share this computer with family or friends?
If they use Yahoo! too, you should show them the sign-in seal you're creating for this computer. Even better, create a sign-in seal together so that everyone will be happy to use and recognize the seal.

What about public computers?
Always use care when signing in on public computers, such as those located in libraries or Internet cafes. Administrators at these locations may create sign-in seals to help you identify Yahoo! on these machines, but you should not replace one of these seals with your own. It's best to rely on other methods to to ensure you're signing in to a genuine Yahoo! site.

Will this sign-in seal protect me on sites other than Yahoo!?
No. The sign-in seal that you create here will only appear on Yahoo! sign-in screens. For more information about how to protect yourself online no matter where you are, see the Yahoo! Security Center.

What if I don't see my sign-in seal?
You could be on a fraudulent site, but there might be other reasons why you can't see it. For example, someone else using your computer may have deleted or changed your seal, your cookies or files on your computer may have been deleted, or you're using a partner or international Yahoo! site (like BT Yahoo! or Yahoo! India). To be safe, look for these other clues to make sure you're on a genuine Yahoo! sign-in screen.

*Below i added two screenshots, one of how it looks when it's not in use and one when it's in use. (And yes i'm still a tigger lover there!) :P

So what do YOU think about this new feature? Will it help reduce phishing on Yahoo!?

All comments welcome!

Not in Use:In Use:

[EliteNick]

That's actually pretty awesome. I think it will indeed help.

[enigma666]

This is a welcomed addition to the fight against phishing on yahoo's myriad of sites. However, that being said it is kind of useless if you're like me and like to clear your browser cache out every day. Once you clear out the browser cache, your sign in seal & settings get erased and you will have to edit it again for it to work.

[David]

That's utterly useless.

Bank of America's online banking application has been using this for quite a while now, but they used a server-basesd solution. it's called a SiteKey, and you select it once, and it's shown regardless of the browser.

The very fact that it's cookies based makes it just as easy for the phishing site to say "oh, your cookie is gone, create a new seal."

Great concept, horrible implementation.

[kyle_baker]

Niice writeup. I read this several weeks ago and am just getting to respond to it because this site has come to a dramaticly fast stop! The updates here are getting fewer and fewer. Anyone know why?

[TimRock]

I had several unimportant yahoo accounts/names stolen from me by a few people and they flaunted it to me in a yahoo chatroom. I guess just kids trying to impress people while acting imature talking under MY name inwhich they stole.

Anyway...i completely reformated my hard drive,used the sign-in seal after making a new Yahoo! account/name then IMed all of my old names and told them to try and take this new name i made and the next day they stole it.

Yahoo is very far behind what they are trying to keep up on.Case in point,they need to shoot for a better solution.People can also devert Yahoo! users entering a chatroom to a bogus chatroom that looks like an official yahoo site.

My suggestion is to not use Yahoo!for anything important.if you are then you are skating on thin ice.

[Nessa]

Quote:

Originally Posted by TimRock

Anyway...i completely reformated my hard drive,used the sign-in seal after making a new Yahoo! account/name then IMed all of my old names and told them to try and take this new name i made and the next day they stole it.

The seal isn't meant to protect your password from crackers who steal passwords that way. ;)

It's actually meant to stop phishing (prevents you from logging in into a fake Yahoo! log-in page which is a way some people use to get id's/passwords.)

And i don't mean to sound mean, but you basically are asking for your id's to be taken or else you would have stopped going to that specific room... Especially that last time in which you TOLD them to take your name, The seal won't stop that and isn't meant to...

[TimRock]

Quote:

Originally Posted by hatedjealousy

The seal isn't meant to protect your password from crackers who steal passwords that way. ;)

It's actually meant to stop phishing (prevents you from logging in into a fake Yahoo! log-in page which is a way some people use to get id's/passwords.)

And i don't mean to sound mean, but you basically are asking for your id's to be taken or else you would have stopped going to that specific room... Especially that last time in which you TOLD them to take your name, The seal won't stop that and isn't meant to...

I dont think you understand.The way they stole the names are by the fake web pages but the they can duplicate the seal.so my point is that it doesnt work.

so what do you mean by saying[quote=hatedjealousy;207778]``The seal isn't meant to protect your password from crackers who steal passwords that way. ;)`` what way are you referring to?

[Nessa]

Quote:

Originally Posted by TimRock

I dont think you understand.The way they stole the names are by the fake web pages but the they can duplicate the seal.so my point is that it doesnt work.

I really don't see any possible way they can duplicate your seal, unless they have complete access to your computer, in which, you have a way bigger problem than them taking your Yahoo! id's. Plus i've seen my fair share of fake Yahoo! log-in pages meant for phishing and NONE have duplicated my seal. ;)

Quote:

Originally Posted by TimRock

so what do you mean by saying

Quote:

what way are you referring to?

There is other ways to take people's id's other than phishing. I am not going to go into detail about how, but there is both ways and programs people use to figure out another person's password. And the seal is only meant to protect you from Phishing by creating a seal which you choose on your computer, which is why i find it hard to believe they could duplicate that seal.

But if you insist they can do this, as a warning to all: Always look at the link in your address bar to make sure it says Yahoo!. Also a geocities site does not require log-in, so do not log-in unless you are trying to access your page.

[TimRock]

Quote:

Originally Posted by hatedjealousy

I really don't see any possible way they can duplicate your seal, unless they have complete access to your computer, in which, you have a way bigger problem than them taking your Yahoo! id's. Plus i've seen my fair share of fake Yahoo! log-in pages meant for phishing and NONE have duplicated my seal. ;)

There is other ways to take people's id's other than phishing. I am not going to go into detail about how, but there is both ways and programs people use to figure out another person's password. And the seal is only meant to protect you from Phishing by creating a seal which you choose on your computer, which is why i find it hard to believe they could duplicate that seal.

But if you insist they can do this, as a warning to all: Always look at the link in your address bar to make sure it says Yahoo!. Also a geocities site does not require log-in, so do not log-in unless you are trying to access your page.

The seal doesnt prevent password theft.So if there are more ways to steal passwords by the flaws Yahoo! has,WHY doesnt Yahoo! do anthing about it?