A while back I wrote about the secret handshake. The idea is that websites that want to communicate with you could allow you to provide to them a keyword (not a password) that they would then include in all email correspondence. It would make phishing more obvious and allow you to set up filters to look for your handshakes to move them to priority folders.

Yahoo! has been using something similar for at least a few months now. It’s not for email, it’s for their log in page. Here’s how it works:

• Yahoo allows you to choose some words or upload an image. This image becomes your seal.
• Once you’ve done this, the seal will appear everywhere Yahoo asks you to sign in.
• Since it’s displayed before you sign in, it’s computer dependent -- go to a different computer and you’ll need to set up another seal.

Here’s an example. I set up my seal with the words “clowns welcome”, and chose the redish brown color for the seal. Every time I log into Yahoo with my laptop, this is what I’m going to see. This is not exactly the secret handshake I talked about a few months back, but it’s acheiving the same thing: It’s using something personal to verify to you that the site is who it says it is.

There seems to be some gaps missing in Yahoo’s seal though. For one, it’s computer-specific. So if you set up a seal on your laptop, you’ll only see it on your laptop. So if you’re using a school computer or a Kinko’s machine, the seal is useless. Considering most browsers have a “remember this password” option, I’m guessing that for a lot of people the only time they actually enter their Yahoo password is when they’re not on their normal machine(s).

The other potential problem I see with it is that Yahoo doesn’t really tell you what to do if the seal is not there. I am assuming the seal is cookie-based, and cookies can and do get cleared from time to time. Could this cause the exact opposite of what Yahoo wants to happen -- A user won’t log into the legit Yahoo site because they’re not seeing the seal? That would be funny.

Overall I think this is a good move. My guess is it is was implemented in order to roll out Yahoo’s new bbauth feature that grants 3rd party sites access to Yahoo account information (with the user’s permission). Since the 3rd party sites need to send users to Yahoo temporarily, I could envision a lot of phishing scams being based off of it. The seal could reduce that significantly.

UPDATE

Just mere hours after posting this I got an IM from a friend of mine to check out a geocities.com website. When I clicked the link, Yahoo asked me to log in. I typed my entire username into the field, but before I got to my password I noticed that the seal was missing. Upon further inspection, the page appears to be a phishing scam right on geocities. It looks like the seal actually saved me.

Reply to this | Trackback | | See Previous Entry | See Next Entry