Any creative solution to make it harder for hackers to copy your IdP login page?

Liam Hoekenga liamr at umich.edu
Mon Mar 26 17:06:39 EDT 2018 

> I had considered this, too, Liam. Not only is referrer not terribly
reliable, but there’s nothing stopping the
> hacker from grabbing the images and CSS when they grab the page course
and hosting it, too.

Right.

We also have a problem with phishers copying our login page for nefarious
purposes.  I know that our security group would be very interested in
potential solutions.

Liam

On Mon, Mar 26, 2018 at 3:05 PM, Wessel, Keith <kwessel at illinois.edu> wrote:

> I had considered this, too, Liam. Not only is referrer not terribly
> reliable, but there’s nothing stopping the hacker from grabbing the images
> and CSS when they grab the page course and hosting it, too.
>
>
>
> Keith
>
>
>
>
>
> *From:* users <users-bounces at shibboleth.net> *On Behalf Of *Liam Hoekenga
> *Sent:* Monday, March 26, 2018 2:52 PM
> *To:* Shib Users <users at shibboleth.net>
> *Subject:* Re: Any creative solution to make it harder for hackers to
> copy your IdP login page?
>
>
>
> We had played with the idea of replacing all of the images or css files
> for the login page if the referrer wasn't the login page.. but referrer
> isn't the most reliable data.
>
>
>
> On Mon, Mar 26, 2018 at 2:47 PM, Wessel, Keith <kwessel at illinois.edu>
> wrote:
>
> Hi, all,
>
> We've had a couple recent phishing attempts where hackers have hosted
> their own stolen copy of our IdP login page in order to trick users into
> giving them their usernames and passwords. Our move toward MFA is going to
> make this much more difficult (I'm not naive enough to say impossible), but
> we're hoping to make it harder for this trick to work in the meantime. Our
> security folks asked if we could add some javascript that would bring up an
> impossible-to-close pop-up if the hostname didn't match what it should be.
> This is, of course, possible but also easy for a hacker to remove.
>
> We already have text at the bottom of our IdP login page stating what the
> hostname should be in the address bar, but nobody reads that part.
> Amusingly, the hackers didn't even change that part in their login page
> knock-offs. But our security folks didn't even notice that text until I
> pointed it out to them.
>
> I'm wondering if anyone has come up with creative solutions to slow down
> hackers from doing this kind of thing.
>
> Thanks for any thoughts,
> Keith
>
> --
> For Consortium Member technical support, see https://wiki.shibboleth.net/
> confluence/x/coFAAg
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
>
>
> --
> For Consortium Member technical support, see https://wiki.shibboleth.net/
> confluence/x/coFAAg
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20180326/8b00090c/attachment.html>

More information about the users mailing list